I have an extremely small team, lots of projects and no resources or capacity to spend on securing our web applications. I host with one of the big guys, we don't run our servers from our shop or anything like that.<p>Without the capacity to spare man-hours battening down the hatches- how big of a deal is being on top of this for a run-of-the-mill dev team with low-level, no-big-deal development, hosted elsewhere?<p>My main concern is unwittingly leaving clients servers/applications vulnerable and them falling under nefarious control...
It's a big deal, especially for small dev shops, as they're less likely to have people available to plug security holes or monitor servers for vulnerabilities/compromises. If you're using shared hosting, probably not an issue. If you're using a VPS, PS, or other service where you are expected to maintain the server, well...<p>For some systems, it's just a matter of logging in to the server and running a single command line, like "sudo yum update bash" (replace "yum" with apt-get, or another package manager).<p>You can leave it, but know that you're leaving your clients vulnerable to things such as:<p>- stolen data
- data loss
- compromised/corrupted/deleted backups of data, code
- site disruption
- botnet participation
- illegal file dump/trading space
- unremovable rootkits<p>Having said that, I believe you should be safe if you don't use CGI to run your apps.<p>The earlier you plug the holes, the better.
Someone is responsible for maintaining/patching your servers. Either you are, or you are paying someone to do it.<p>If you are paying a company to do it, send 'em an email. If you are responsible, look into what it takes to install a bash upgrade. I was able to patch my own Ubuntu VMs in about shell 3 commands manually through SSH (yay apt-get). Took all of 10 mins reading up on documentation, logging in, hitting yes to prompts...<p>In all seriousness, the patching process shouldn't be too much more involved than patching your desktop OS for a small shop not worried about 100s of servers, load balancers/failover mechanisms, SLAs, etc...
You should test your sites with these two tools:<p><a href="http://www.shellshocktest.com/" rel="nofollow">http://www.shellshocktest.com/</a><p>and<p><a href="http://shellshock.brandonpotter.com/" rel="nofollow">http://shellshock.brandonpotter.com/</a><p>There is a well maintained guide at Digital Ocean that explains the nitty gritty details:<p><a href="https://www.digitalocean.com/community/tutorials/how-to-protect-your-server-against-the-shellshock-bash-vulnerability" rel="nofollow">https://www.digitalocean.com/community/tutorials/how-to-prot...</a><p>If a server is vulnerable there is a great guide that helps you to deal even with old systems:<p><a href="https://dmsimard.com/2014/09/25/the-bash-cve-2014-6271-shellshock-vulnerability/" rel="nofollow">https://dmsimard.com/2014/09/25/the-bash-cve-2014-6271-shell...</a>