Recently, a major security vulnerability has been discovered in the software shell GNU Bash. The vulnerability known as Shellshock can allow attackers to remotely access and control systems using Bash (and programs that call Bash) as an attack vector. The bug affects many GNU/Linux users, as well as those using Bash on proprietary operating systems like OS X and Windows.
Most software vendors affected by this vulnerability have already issued patches. PaperCut itself does not bundle GNU bash, however we recommend all Bash users audit their services that may be affected. More information about these issues can be found at CVE-2014-6271 and CVE-2014-7169
Is PaperCut vulnerable?
PaperCut’s development processes continually focus on security, and in saying this, we believe PaperCut is not impacted by the ShellShock vulnerability. It is possible for systems hosting PaperCut to be vulnerable but we do not believe PaperCut adds to the vulnerability.
The majority of PaperCut runs in Java code in the JVM. There are points at which PaperCut does execute other processes, but the commands invoked are hard-coded and there is no way for an external source to set environment variables before execution. This means that PaperCut is not vulnerable to this attack.
This release contains an updated Java version which no longer supports 32-bit workstations. If you have any 32-bit users launching the User Client or Release Station from a network share, see this Knowledge Base article for more information.