You may have heard about the recent “Shellshock” vulnerability, or “Bash” bug. A researcher disclosed it on the oss-sec mailing list yesterday describing the ability to perform remote code execution through bash.
Know that, by midnight PST yesterday, Sept 25, PubNub had applied patches to address the Shellshock Bash vulnerability across our entire data stream infrastructure. PubNub’s “no-downtime” architecture ensured that no PubNub customers were affected by these patch activities to our network.
It’s important to note that no intrusion was detected on any PubNub server.More generally, this vulnerability has made big news because it affects the majority of servers, laptops, and mobile devices around the world. This vulnerability could allow an attacker to perform remote code execution. Given that Bash is in the default install of almost every Unix-based operating system on the planet, this is a pretty big hole. (Similar to the “sysadmin-heart-attack-inducing” Heartbleed vulnerability from earlier this year).
There is some speculation that other Bash vulnerabilities may exist for which patches will be released. If/when other vulnerabilities are found, we will apply patches network-wide across the PubNub Data Stream Network in short order. You can track the status of Bash issues at CVE-2014-6271: remote code execution through bash.
Please don’t hesitate to reach out to our Support Team at firstname.lastname@example.org with any questions or concerns.