Article ID: 123025, created on Sep 29, 2014, last review on Jun 17, 2016

  • Applies to:
  • Plesk for Linux/Unix


The Redhat security group fixed shellshock vulnerability in several steps and each step have its own CVE assigned: CVE-2014-6271, CVE-2014-7169, CVE-2014-7186, CVE-2014-7187.

Security impact and attack vectors' investigation is published on Redhat Security Blog.

The fixed version of bash are released by the OS vendors:

Even though this vulnerability is not in a product of Parallels, it is highly recommended to install the update because it is possible to exploit the system over the network.


Please use the automated script to find out if installed version of Bash is vulnerable: BashCheck

NOTE: Recent versions of Bash 4.3 [Ubuntu 14.x, Debian Jessie] produce a false positive warning in the check for CVE-2014-7186 (redir_stack bug).


Vulnerable machine:

$ sh bashcheck
Vulnerable to CVE-2014-6271 (original shellshock)
Vulnerable to CVE-2014-7169 (taviso bug)
./bashcheck: line 18:  6671 Segmentation fault: 11  bash -c "true $(printf '< /dev/null
Vulnerable to CVE-2014-7186 (redir_stack bug)
Test for CVE-2014-7187 not reliable without address sanitizer
Variable function parser still active, likely vulnerable to yet unknown parser bugs like CVE-2014-6277 (lcamtuf bug)

Updated machine:

$ sh bashcheck
Not vulnerable to CVE-2014-6271 (original shellshock)
Not vulnerable to CVE-2014-7169 (taviso bug)
Not vulnerable to CVE-2014-7186 (redir_stack bug)
Test for CVE-2014-7187 not reliable without address sanitizer
Variable function parser inactive, likely safe from unknown parser bugs

Additionally chrooted binaries in Plesk are affected. When you install Plesk it copies system libraries and binaries to /var/www/vhosts/chroot/ folder and then to customer’s webspace folders. If you update system bash package, new binaries and libraries will not be copied to /var/www/vhosts/chroot/

However impact of the vulnerability in customer's bash (<vhost>/bin/bash) is not the same as in admin's (/bin/bash). It would not allow to run arbitrary commands until a customer uses this binary in some way except as SSH shell (in such rare cases, code execution could be allowed on behalf of customer's system user only).


  1. To fix a vulnerable version, follow the instructions for updates installation from OS vendors' announcements. For RHEL and CloudLinux systems please use 'yum update bash' to get the latest version.

  2. Affected system components and possible workarounds for the additional security issue CVE-2014-7169 are described in the Redhat article Bash Code Injection Vulnerability via Specially Crafted Environment Variables (CVE-2014-6271). For more information and affected components, see

  3. Download script from article #115842

  4. Update chrooted bash with command:

    ./ --add `which bash`
  5. Apply changes for the all domains:

    ./ --apply all
  6. Login as customer with chrooted bash and check that chrooted bash is not vulnerable as described in Symptoms section

Search Words

Shellshock in Plesk chrooted binaries



bash vulnerability



56797cefb1efc9130f7c48a7d1db0f0c a914db3fdc7a53ddcfd1b2db8f5a1b9c 29d1e90fd304f01e6420fbe60f66f838

Email subscription for changes to this article
Save as PDF