On September 24 a vulnerability in Bash, named Shellshock, was publicly announced. The original Shellshock advisory, CVE-2014-6271, described a severe remotely-exploitable vulnerability in all versions of GNU Bash software. A follow-up advisory, CVE-2014-7169, was issued for an incomplete fix to CVE-2014-6271.
Security review of Wealthfront systems confirmed no client-facing components were vulnerable to Shellshock. The Wealthfront team deployed fixes for CVE-2014-6271 and CVE-2014-7169 on all internal hosts, consistent with security best practices.
Further Resources for Shellshock Help
We recommend auditing all systems using Bash and upgrading. Here are some resources we found useful in our response to this disclosure:
As always, if you have any questions about the security of your Wealthfront account, contact us at firstname.lastname@example.org. We will continue to monitor this issue as the community and vendors investigate this vulnerability further.