Resolved
Earlier today, Red Hat disclosed a security vulnerability in Bash, reported to them by researcher Stephane Chazelas. The Red Hat Security blog has an excellent writeup of the technical details of the vulnerability, which has been assigned CVE-2014-6271 and is also being referred to as "bashbleed", "bashpocalypse", or "shellshock".
At this time, we have protected customer applications by updating Bash on our Cedar and Cedar-14 stacks. We have also verified that our deploy and build pipelines (i.e. git push heroku master
) are fixed. Your application will automatically receive the updated stack image within the next 24 hours as your dynos restart, or you can force an immediate fix by issuing a heroku ps:restart
. Should you wish to harden your applications against future attacks of this type, make sure your app follows best practices around protection from injection attacks (and specifically for this case, avoid passing user-supplied values into environment variables without escaping).
Thank you for your patience while we worked on resolving this issue. As always, please don’t hesitate to let us know if you have any additional questions or concerns.
Retroactive
We are aware of the Bash Security Advisory. Our security team and engineers are working to assess and remediate any exposure as quickly as possible.