Released 9/25/2014 – Pexip Infinity does not use the Bash shell as the default system shell. Remotely accessible network services (including the Apache web server) do not use environment variables and thus do not provide a mechanism for an attacker to inject code. The local system administrator account requires authentication before access is granted and is already permitted to execute arbitrary code on the system. Therefore Pexip strongly encourages users to use secure passwords for the system administrator account, and to firewall it from external access. Despite lack of remote exposure to this vulnerability, Pexip will include fixes for this vulnerability within the next planned release of software, version 7.
For more information regarding securing your Pexip Infinity environment, please contact Covene – firstname.lastname@example.org or +1.314.594.5011