Additional Shellshock (GNU Bash) Vulnerabilities (CVE-2014-6277 and CVE-2014-6278) Identified (post updated on October 14, 2014)
On September 29, 2014, two additional vulnerabilities were identified in GNU Bash. Per our defined risk mitigation procedures, we continue to do vulnerability assessments on all of our systems and take the requisite steps to mitigate any potential risks.
A WAF-based rule is available to all our application performance (ADN) and commerce (Transact) customers that will inspect all HTTP/HTTPS requests targeted at their origin to protect their own internal systems against the latest vulnerabilities described in CVE-2014-6277, CVE-2014-6278, CVE-2014-6271 and CVE-2014-7169.
Update October 14, 2014:
Additional protection built into our software stack (Sailfish) offers protection to all our customers. This solution will also inspect all HTTP/HTTPS requests for attacks. However, this protection is applied directly into a customer’s configuration files and must be enabled by Verizon Digital Media Services employees. Customers can request our solution by contacting us at: