NGINX and the CVE-2014-6271 Bash Advisory

Owen Garrett Thumbnail
Owen Garrett
Published September 25, 2014

On September 24, 2014, a vulnerability was revealed in the Bash shell interpreter. The details are described in CVE-2014-6271. Note that there is a follow‑up vulnerability (CVE-2014-7169) that has not been patched as of this writing.

This bug does not affect the NGINX or NGINX Plus software directly, but if you are running on an affected host system, we recommend that you upgrade the copy of bash on that system as soon as possible.

Please refer to your operating system vendor’s instructions. For your convenience, here are a few links:


The NGINX Plus Amazon Machine Images (AMIs) (Version 1.3) are built on Amazon Linux or Ubuntu, and suffer from this vulnerability. We’re building and testing updated AMIs, and in the interim you need to run the following commands to manually update the bash package on those AMIs:

  • For Amazon Linux AMIs:

    $ sudo yum update bash
  • For Ubuntu AMIs:

    $ sudo apt-get update
    $ sudo apt-get install bash

Note that new Amazon Linux‑based instances are automatically updated on startup.

"This blog post may reference products that are no longer available and/or no longer supported. For the most current information about available F5 NGINX products and solutions, explore our NGINX product family. NGINX is now part of F5. All previous links will redirect to similar NGINX content on"