This week, a major vulnerability was discovered in the Bash shell. Given the attack vectors we know about today and the services running on the OpenDNS Virtual Appliance (VA), we have determined that the Bash vulnerability is not remotely exploitable on the VA.
Multiple patches for the Bash vulnerability were released throughout the week. As a cautionary measure, we have incorporated these patches into a new release of our VA. We are currently beta testing this release to ensure stability. Again, we are performing these patches as a cautionary measure, in case future attack vectors are discovered that could exploit the vulnerability.
Our plan is to release this patched version of the VA by Tuesday, September 30th:
For customers with dual VAs in deployment, this patched version will be deployed automatically.
For customers with a single VA in a site, the update will not be deployed without coordinating with OpenDNS Support as it could cause a temporary loss of DNS resolution while the VA is upgraded. The OpenDNS Support team will contact you to schedule an update of your VA.
Best practice is that every environment should have a minimum of 2 VAs to ensure easy, automatic updates and redundancy within your network.
More details on the patches that are included to resolve the Bash vulnerability can be found here: