Skip to main content
OCC Flag

An official website of the United States government

OCC Bulletin 2014-48 | September 26, 2014

Bourne-Again Shell (Bash) "Shellshock" Vulnerability: FFIEC Alert


Chief Executive Officers of All National Banks, Federal Branches and Agencies, and Federal Savings Associations; Technology Service Providers; Department and Division Heads; All Examining Personnel; and Other Interested Parties


The members of the Federal Financial Institutions Examination Council (FFIEC)1 today issued the attached alert to notify financial institutions of a material security vulnerability in Bourne-again shell (Bash) system software widely used in servers and other computing devices that could allow attackers to access and gain control of operating systems. The alert outlines the risks associated with this vulnerability (also known as "Shellshock"), the risk mitigation steps that financial institutions are expected to take, and additional resources to help institutions mitigate the risks.


Banks should address Shellshock by taking appropriate risk mitigation steps, including

  • identifying vulnerable internal systems and services.
  • following appropriate patch management practices.
  • ensuring that third-party vendors take appropriate risk mitigation steps and monitoring the status of the vendors’ efforts.

Note for Community Banks

Community banks should ensure that their in-house information technology unit or their service providers are taking appropriate action to mitigate this risk.

Further Information

Given the evolving information about the scope and nature of this vulnerability, banks should remain vigilant and continue their ongoing risk assessments and monitoring to detect and prevent unauthorized access. The resources described below provide additional guidance on the enhancement of risk and vulnerability identification and the implementation of appropriate risk mitigation and management practices.

Questions regarding the FFIEC statement should be directed to the Office of the Comptroller of the Currency’s Bank Information Technology Division at (202) 649-6340.


Carolyn G. DuChene
Deputy Comptroller for Operational Risk

Related Links

Additional Resources

1 The FFIEC members are the Board of Governors of the Federal Reserve System, the Consumer Financial Protection Bureau the Federal Deposit Insurance Corporation, the National Credit Union Administration, the Office of the Comptroller of the Currency, and the State Liaison Committee.