Shellshock and Puppet Enterprise: Information for Our Customers

NOTE: If you haven't patched your systems, you are vulnerable.

By now you’ve probably heard of Bourne-Again Shell (bash) "Shellshock" vulnerabilities (CVE-2014-6271, CVE-2014-7169). Since the issue was announced on Wednesday morning, at Puppet Labs we have been evaluating our customers’ risk and exposure while trying to wade through new information as it came to light.

We have confirmed that if you’re able to patch your Puppet Enterprise masters and consoles with the latest bash packages available from your Linux distribution vendor, you should be safe.

There are patches available from

  • Red Hat Enterprise Linux
  • CentOS
  • Scientific Linux
  • Oracle Enterprise Linux
  • SuSE Linux Enterprise Server
  • Ubuntu LTS
  • Debian

Thus far, we haven’t been able to find any vulnerabilities agent side, even with an old bash installation, but we strongly recommend updating bash everywhere as soon as possible. It is very unlikely there is a significant downside to accepting new bash packages from your vendors, and our advice is to accelerate your patch acceptance process for bash.

For our Puppet Enterprise agent platforms, beyond the ones listed above, there are bash patches available for

  • Oracle Solaris
  • IBM AIX

We haven’t seen a patch yet for bash on Mac OS X. Note that much of the advice we’re seeing on the internet for updating bash via MacPorts or Homebrew does not resolve the issue of the default shell being vulnerable.

Please also note that while Windows does not ship with bash by default, we do know that some of our customers are installing bash via cygwin or other means. Our advice to update these packages applies on Windows as well.

The advice above all applies to our Puppet Enterprise customers. If you’re running Puppet agents or masters on any other platforms, please follow your vendor’s advice, but it almost certainly comes down to “update bash and restart any services that consume it.” In most cases, the safest course of action is to just reboot the whole system after updating bash.

This security event is still underway and we’re working hard to provide you the most accurate information we can. Stay tuned in case we turn up anything new or find changes.

Mike Stahnke is director of engineering services at Puppet Labs.

Learn more

We have published another post about the bash vulnerability with some details for using Puppet to help you respond.

Puppet sites use proprietary and third-party cookies. By using our sites, you agree to our cookie policy.