We have fielded numerous questions about how UnForm is affected by the Linux "bash" shell program vulnerability that was announced September 24, 2014. This can potentially affect UnForm installations if they use CGI to access the browser interface. This is the case with UnForm 9 on Linux, AIX, or OS/X installation, and also with earlier releases if you use the CGI script that was provided for use outside of the internal UnForm web server. Note, this issue does not affect Windows installations in any way.
If you are using the internal web server (typically accessed with a URL like http://someserver:27282/arc), then no bash script is involved and you are not affected by the vulnerability.
If you are using unform 9 or an external web server and CGI on older versions, yes, any cgi task running through bash has the potential issue. You have three choices:
1) Update bash per the platform you are using to get the patched version. Patches for major, current platforms were quickly released.
2) Change to the Korn shell, by editing web/ufarc.exe (or older cgi scripts) so the top line reads: #!/bin/ksh, assuming of course /bin/ksh is available as the Korn shell. Note this script is created whenever you run ufsetup.sh. Korn shell is an older Unix shell that is available for Linux and other Unix platforms but is not always installed as part of a default distribution, so you might need to install it.
3) Ignore the potential issue, which may be appropriate on private networks, since you won't be vulnerable if hackers can't reach your system.