On September 24th Ubuntu released a security notice outlining details of a security vulnerability in the bash shell. You can see the full notice here:
http://www.ubuntu.com/usn/usn-2362-1/
This issue is tracked in the National Vulnerability Database as:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6271
and
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7169
Some background to this issue
Bash is one of several Linux shells that runs on the Ubuntu operating system, this is the operating system used by VisibleThread for both VisibleThread Docs and Clarity Grader. This vulnerability allows an attacker run malicious code on the vulnerable system by setting malicious environment variables. Its important to note that in order to exploit this vulnerability, the attacker must already have gained access to the system via another means.
How does this impact you as a VisibleThread Docs or Clarity Grader customer?
In some cases, there are no remediation steps. We summarize which VisibleThread products and services are impacted by the vulnerability below:
Case 1: VisibleThread Docs on-premise (behind the firewall) customers
All versions of VisibleThread Docs on-premise are vulnerable to this issue.
Please note: Even though you are affected, the VisibleThread on-premise deployment is running self-contained behind your corporate firewall and so this vulnerability is very low risk in normal corporate settings.
What you need to do?
Follow the instructions in this article to check if you are impacted by this issue, and how to remediate.
Case 2: VisibleThread Docs Cloud (on-demand) customers:
Our VisibleThread for Doc service (https://vt1.visiblethread.com) has been patched to remove this vulnerability. We have no evidence to suggest that our VisibleThread servers were exploited by this vulnerability.
What you need to do?
In this case, no action is required on your side.
Case 3: Clarity Grader Cloud customers:
Our Clarity Grader service (https://dashboard.claritygrader.com) has been patched to remove this vulnerability. We have no evidence to suggest that our Clarity Grader servers were exploited by this vulnerability.
What you need to do?
In this case, no action is required on your side.
----------
Please don't hesitate to contact us at support@visiblethread.com if you have any questions regarding this issue.
VisibleThread Support Team