Skip to main content

CoreOS Machines Secured from Shellshock

Over the last few hours we began rolling out shellshock fixes to all CoreOS deploys that have automatic updates enabled (this is default). If you have disabled automatic upgrades through cloud-config reboot-strategy, a manual reboot should give you the latest version.

You can test if your CoreOS has been patched by testing the exploit, or by checking the version of CoreOS you are running in /etc/os-release. Patched versions are listed below:

Channel Version Release Notes
Alpha 452.0.0 View Release Notes
Beta 444.2.0 View Release Notes
Stable 410.1.0 View Release Notes


This is an important example of our update philosophy. We believe the key to security is not just making patches available, but also applying them. Everything we build is to make this process safe. Hours after the real fix was published, we built new images, deployed them to every CoreOS platform, and patched the CoreOS slice of the internet.

Only half the problem

An astute reader might ask: what happens to the bash instances inside Docker containers? This is indeed a problem. One of the issues with building an image for every application is that you have sprawl: now there are multiple versions of bash, running in the various Docker containers.

Once Docker updates their base images, you will need to rebuild every image in your environment, as well as re-deploy it.

Updating containers is an open problem, and we intend to help with this by applying our update model to containers as well. More to come on this soon, but we hope this model will make huge improvements in the security of the internet.