As a small-time dev do I have to worry about shellshock?

[fifthesteight]

I have an extremely small team, lots of projects and no resources or capacity to spend on securing our web applications. I host with one of the big guys, we don't run our servers from our shop or anything like that.

Without the capacity to spare man-hours battening down the hatches- how big of a deal is being on top of this for a run-of-the-mill dev team with low-level, no-big-deal development, hosted elsewhere?

My main concern is unwittingly leaving clients servers/applications vulnerable and them falling under nefarious control...

[jestar_jokin]

It's a big deal, especially for small dev shops, as they're less likely to have people available to plug security holes or monitor servers for vulnerabilities/compromises. If you're using shared hosting, probably not an issue. If you're using a VPS, PS, or other service where you are expected to maintain the server, well...

For some systems, it's just a matter of logging in to the server and running a single command line, like "sudo yum update bash" (replace "yum" with apt-get, or another package manager).

You can leave it, but know that you're leaving your clients vulnerable to things such as:

- stolen data - data loss - compromised/corrupted/deleted backups of data, code - site disruption - botnet participation - illegal file dump/trading space - unremovable rootkits

Having said that, I believe you should be safe if you don't use CGI to run your apps.

The earlier you plug the holes, the better.

[fifthesteight]

Thank you as well. I appreciate you taking the time to answer.

We don't run cgi scripts, and we seem to be predominantly in the "probably safe" category. That said, this is the reaponse I expected. I've applied some patching on our machines (read: that first one that didnt fix a lot of vulerabilities) and I'm sure the other guys have, too.

It has just been one of those launch months where even pooping feels like burning time and money.

Seems like somebody is going to be changing gears today. Thank you.

[lastofus]

Someone is responsible for maintaining/patching your servers. Either you are, or you are paying someone to do it.

If you are paying a company to do it, send 'em an email. If you are responsible, look into what it takes to install a bash upgrade. I was able to patch my own Ubuntu VMs in about shell 3 commands manually through SSH (yay apt-get). Took all of 10 mins reading up on documentation, logging in, hitting yes to prompts...

In all seriousness, the patching process shouldn't be too much more involved than patching your desktop OS for a small shop not worried about 100s of servers, load balancers/failover mechanisms, SLAs, etc...

[fifthesteight]

Thank you, too. The patching process wasnt as much my concern as the other widespread, clever exploits that really experienced bash dudes are finding.

Like we discussed, my concern is client sites hosted on a server I pay to be maintained... I did email the provider, and at the time was satisfied with their response so thats good.

So I really apprecuate all the input. I feel okay, though some funny behavior on old, stable sites makes me worry.

Thank you for your time.

I give myself a C- and will reevaluate.p

[sippndipp]

You should test your sites with these two tools:

http://www.shellshocktest.com/

and

http://shellshock.brandonpotter.com/

There is a well maintained guide at Digital Ocean that explains the nitty gritty details:

https://www.digitalocean.com/community/tutorials/how-to-prot...

If a server is vulnerable there is a great guide that helps you to deal even with old systems:

https://dmsimard.com/2014/09/25/the-bash-cve-2014-6271-shell...

[fifthesteight]

Thank you, this is very helpful- though I was hoping to be cheap and lazy.