Severity
Critical
Vendor
Canonical, Red Hat
Versions Affected
- Ubuntu 10.04 (Lucid), 12.04 (Precise), CentOS 6.
Description
A heap-based buffer overflow was found in __nss_hostname_digits_dots(), which is used by the gethostbyname() and gethostbyname2() glibc function call. A remote attacker could use this flaw to execute arbitrary code with the permissions of the user running the application.
Affected Products and Versions
Severity is critical unless otherwise noted.
- All versions of Cloud Foundry BOSH stemcells running Ubuntu 10.04 (Lucid), 12.04 (Precise), and CentOS.
- All versions of Cloud Foundry Runtime through v196
Unaffected Products
- Ubuntu 14.04 (Trusty) stemcells are not vulnerable.
- Buildpacks for ruby, php, nodejs, goloang and java are not vulnerable.
Mitigation
Users of affected versions should apply the following mitigation:
- The Cloud Foundry project recommends that Ubuntu 10.04 (Lucid) BOSH Stemcells be upgraded to the Ubuntu 14.04 (Trusty) Stemcells.
- The Cloud Foundry BOSH team has released stemcell 2829 for CentOS 6 which uses patched CentOS packages. The Cloud Foundry project recommends that CentOS 6 stemcell users upgrade to CentOS stemcell 2829.
- The Cloud Foundry Runtime team has completed on a patch release of Ubuntu 10.04 (Lucid) root file system which is now available in Runtime v197. Applications running on Cloud Foundry Runtime that statically link to glibc need to be restaged after upgrading.
- If an application or buildpack statically links to glibc it must restage after the runtime upgrade.
- Binaries included in a custom buildpack or application must be scanned and patched as needed by the application developer responsible for those assets.
Credit
Qualys and Alexander Peslyak of the Openwall Project
