Article ID: 123009, created on Sep 25, 2014, last review on Jun 17, 2016

  • Applies to:
  • Operations Automation 5.0
  • Virtuozzo 6.0
  • Virtuozzo containers for Linux
  • Virtuozzo hypervisor


The Redhat security group fixed shellshock vulnerability in several steps and each step have its own CVE assigned: CVE-2014-6271, CVE-2014-7169, CVE-2014-7186, CVE-2014-7187.

Security impact and attack vectors' investigation is published on Redhat Security Blog.

The fixed version of bash are released by the OS vendors:

Even though this vulnerability is not in a product of Parallels, it is highly recommended to install the update because it is possible to exploit the system over the network.


Please use the automated script to find out if installed version of Bash is vulnerable: BashCheck

NOTE: Recent versions of Bash 4.3 [Ubuntu 14.x, Debian Jessie] produce a false positive warning in the check for CVE-2014-7186 (redir_stack bug).


Vulnerable machine:

$ sh bashcheck
Vulnerable to CVE-2014-6271 (original shellshock)
Vulnerable to CVE-2014-7169 (taviso bug)
./bashcheck: line 18:  6671 Segmentation fault: 11  bash -c "true $(printf '<<EOF %.0s' {1..79})" 2> /dev/null
Vulnerable to CVE-2014-7186 (redir_stack bug)
Test for CVE-2014-7187 not reliable without address sanitizer
Variable function parser still active, likely vulnerable to yet unknown parser bugs like CVE-2014-6277 (lcamtuf bug)

Updated machine:

$ sh bashcheck
Not vulnerable to CVE-2014-6271 (original shellshock)
Not vulnerable to CVE-2014-7169 (taviso bug)
Not vulnerable to CVE-2014-7186 (redir_stack bug)
Test for CVE-2014-7187 not reliable without address sanitizer
Variable function parser inactive, likely safe from unknown parser bugs


  1. To fix a vulnerable version on the hardware node, follow the instructions below:

    # yum clean all
    # yum update bash
  2. To fix a vulnerable version in containers:

    • Operating system template cache(s) should be recreated (to avoid the problem for the newly created containers):

      ~# vzpkg update cache DISTR-VER-ARCH -r
    • For existing containers:

      ~# vzpkg update <CTID>

      or a single package specifically:

      ~# vzpkg update CTID -p bash
    • To update VMs – please follow instructions provided by guest OS vendor.
  3. Affected system components and possible workarounds for the additional security issue CVE-2014-7169 are described in the Redhat article Bash Code Injection Vulnerability via Specially Crafted Environment Variables (CVE-2014-6271). For more information and affected components, see

Search Words



yum update bash package for PSBM



Bash Code Injection Vulnerability

update for bash vulnerability


Yum update bash package for PSBM

vzpkg update


c62e8726973f80975db0531f1ed5c6a2 2897d76d56d2010f4e3a28f864d69223 0dd5b9380c7d4884d77587f3eb0fa8ef a26b38f94253cdfbf1028d72cf3a498b e8e50b42231236b82df27684e7ec0beb d02f9caf3e11b191a38179103495106f 5356b422f65bdad1c3e9edca5d74a1ae caea8340e2d186a540518d08602aa065 614fd0b754f34d5efe9627f2057b8642 c27596ac4fff6cb4c8ec8891dae57001 2554725ed606193dd9bbce21365bed4e

Email subscription for changes to this article
Save as PDF