Update - September 26: Further vulnerabiltities have been discovered in bash (CVE-2014-7169) and all major distributions have updated their bash packages. If you haven't done so, update all copies of bash again using the instructions below.
Earlier today serious vulnerabilities in bash were discovered (CVE-2014-6271 aka Shellshock or "Bash Bug") which allow arbitrary code execution using specially-crafted environment variables. You can read more about it at Wikipedia.
Buildbox is a platform for automating your build processes using your own scripts (often bash scripts) with data being passed to them from the build-agent using environment variables (configured via the web interface), and we've been working hard to fully investigate the attack as well as rolling out numerous fixes to help protect all customers.
Steps we've taken in the past 24 hours:
- Updated all copies of bash on the Buildbox servers.
- Updated the Buildbox job system to block potentially dangerous environment variable values (basically anything loosely starting with
()). This will help to protect your build agents from being compromised via the Buildbox web interface. - Scanned our database and logs for signs of malicious activity. None were found.
Even though we've taken these steps, it's still extremely important that you update bash on your build servers.
Steps you need to take immediately:
- Update bash on your build servers:
- Ubuntu and Debian:
sudo apt-get update && sudo apt-get install --only-upgrade bash - CentOS and Redhat:
sudo yum update bash - OS X
- Ensure buildbox-agent is running as a user with the least amount of privileges.
- Ensure your Buildbox account itself is secure.
- Continue to monitor the situation (#shellshock on twitter), updating your servers as necessary.
We'll continue to monitor the vulnerability and roll out any further fixes as they come to light, as well as updating this blog post and tweeting from @buildbox.
If you need assistance on updating your server, or have any questions, send an email support@buildkite.com.
