While the Shellshock vulnerability continues to feed a patching frenzy across the Internet, those using Ping Identity product solutions can rest easy.
Ping's Security Operations confirmed that system updates on all PingOne and PingID production, staging and test services affected by this vulnerability have been completed as of yesterday (September 25, 2014). Ping Identity's Site Reliability Team re-deployed our entire hosted infrastructure with fresh instance versions containing patched GNU Bash installations by 11:00 am MST Thursday morning. Security Operations has zero indications any systems were compromised, and are continuing to monitor the situation closely.
Customers infrastructure and servers running PingFederate and PingAccess on-premise may be at risk indirectly to the Shellshock vulnerability when configurations of PingFederate or PingAccess are installed on affected operating systems. Please consult your operating system vendor for their recommended guidance.
Ping Identity customers with concerns regarding issues related to CVE-2014-6271, CVE-2014-7169, or CVE-2014-6271 are encouraged to open a ticket with our Global Support organization by contacting email@example.com.