Koha ILS

Koha and Shellshock

There has been a lot of reports lately about a newly discovered vulnerability in Linux systems, called by some “Shell Shock” (or “shellshock”). Shellshock is a long-standing but newly uncovered bug in the bash shell, used on Linux systems, including Debian and Ubuntu.

You can read the full CVE reports here:

The gist of the report is this:

“The vulnerability is caused by the ability to create environment variables with values before calling the bash shell. The variables that are passed can contain code, which are executed before the shell is actually invoked. The vulnerability is then exposed in the ability to add extra code to the end of these functions.”

ByWater staff have been researching and discussing this issue since its exposure, and we do not feel that Koha servers are at great risk from this. The media reports, as is often the case, are exaggerating the danger. For someone to exploit this bug, they basically have to get access to the bash shell. The primary means of doing so is to either get a command line connection the server (SSH, or any connection that listens to the world at large and sends variable info to the bash shell), or to attack a web site that is using CGI scripts that are written in Bash or launch Bash subshells, and somehow trick these scripts into sending these environment variables (and malicious code) to bash on the server.

As for the command line route, all ByWater-hosted servers are strongly locked down against SSH or other attacks. (Our firewall philosophy is to block everything, and only open what we have to.) With very limited exceptions, there is NO outside access to our servers that is capable of sending anything to bash. (Put another way, the only way to use SSH to exploit the bash bug is to first be able to make the SSH connection, and on ByWater servers, the only ones who can do that are ByWater staff, coming from the ByWater private network; no outside connection = no exploit.) And the limited exceptions are sites that use SFTP or SCP to upload files to the server, and in those cases, they are using a CHROOT-ed csh account, so there is no access to bash anyway.

As to injecting outside code through the Koha web interface, the CGI scripts used by Koha are written in Perl, not Bash. In addition, it is part of the quality control in Koha that all code included be hardened against injection attacks. I’ve spoken with our ByWater programmers, and neither are aware of any Koha Perl scripts that would be exploitable by this bug.

So, even if a Koha server has a version of Bash with the bug, it is highly unlikely that server would be vulnerable if reasonable access precautions are in place. And fortunately, we don’t have to worry about that small threat either; there’s already a patch. One of the great things about open source is once bugs are found, esp. big ones, they are usually quickly fixed. A patched version of bash was available almost before some of the alarmist articles were even published. Those of you on ByWater-hosted servers have already been patched.

For those partners who are self-hosted, you can test for the vulnerability by going to the command line of your server, make sure you’re using the bash shell, and then type this:

env x='() { :;}; echo vulnerable' bash -c "echo this is a test"

If you see “vulnerable” in the output, you have the bug. If you don’t, then you are already patched.

If you are self-hosted and want to install the patch, you can do the following:

For Debian Wheezy:
The patched version is already in the APT repositories, so just do:

sudo apt-get update
sudo apt-get install -y bash

For Debian Squeeze:

wget ftp://ftp.debian.org/debian/pool/main/b/bash/bash_4.1-3+deb6u2_amd64.deb

# Note – This is assuming you are running Debian Squeeze on either AMD or Intel 64-bit processors. If on other, look for version and system architecture that is appropriate for your server.

Then install the new version with:

sudo dpkg -i ./bash_4.1-3+deb6u2_amd64.deb

For Ubuntu users:

I believe the patched version should already be in the repositories, so the same instructions for Debian Wheezy should work.

Test after patching by running the same command above; you should *not* see the word, “vulnerable”.

(Note to ByWater self-hosted partners, we will be testing your servers for you in the next couple of days, and if it is not patched, we will go ahead and patch it.)

More Information:

There’s lot of information out on the web about this, but I found this site to give a particularly clear explanation:


Read more by Larry Baerveldt