On September 24th, vulnerability CVE-2014-6271 and CVE-2014-7169, also known as Shellshock or the Bash bug, was found in the widely-used Unix Bash shell. The vulnerability allows Bash to execute commands from environment variables unintentionally.
GoAnywhere Director, GoAnywhere Services, and GoAnywhere Gateway run on a JVM which is invoked from within a Bash shell. While GoAnywhere is not directly affected by this bug, the GoAnywhere startup process utilizes the common JAVA_HOME and JRE_HOME environment variables during the initialization of the JVM. It is thus possible that a compromised environment variable on a vulnerable Linux and Unix system could cause the startup and shutdown process of GoAnywhere to unintentionally execute other commands and programs.
Linoma Software [now HelpSystems] recommends that our customers who deploy GoAnywhere to Linux and UNIX servers be aware of this security bug and apply the appropriate patches as they become available from your operating system vendor.