Yesterday a vulnerability in glibc was disclosed, one which requires an update. The vulnerability allows attackers to run arbitrary code on affected servers and thereby gaining access to these systems. In more technical terms the vulnerability consists of a buffer overflow issue, which can be abused via a remote arbitrary code exploit.
Glibc is a core component of nearly every Linux-server and offers a library of frequently-used functions. Other software uses this library to for instance look up the time or find an internet address.
Because glib is used by almost every software package under Linux this unfortunately also means virtually all software is vulnerable to this leak. Or put differently: attackers can exploit this vulnerability by abusing your webserver, databaseserver, mailserver and so on, even though these servers aren’t themselves vulnerable.
An update is available for most current Linux distributions which solves this issue. You are therefore urged to install this update as soon as possible. Please restart your server after installation to make sure the new version is actually used by all software packages.
How does the vulnerability work?
gethostbyname2() are used to retrieve IP-addresses based on the hostname and vice versa. These functions do not check for the length of the answer returned, which allows for a so-called buffer overflow exploit. An attacker would therefore be able to create a DNS-server which returns too much information upon request and then only make sure a service running on your server retrieves this information.
Which systems are vulnerable?
The vulnerability is found in glibc versions up to and including 2.17. Newer versions are not affected.
The following systems by default use a vulnerable version:
- Debian 6-LTS and Debian 7
- Ubuntu, all versions up to and including 13.10
- RedHat Enterprise Linux 5, 6 and 7
- CentOS 5, 6 en 7
How do I install updates?
Please note: Except for RedHat/CentOS the instructions below install all updates. You will have to make sure beforehand the updates available do not break compatibility with your existing software and/or website. It is possible to just install the glibc updates, please follow the instructions of your specific system.
Debian, Ubuntu and other systems based on apt:
apt-get update && apt-get upgrade
Please note: Systems based on Debian 6 will have to have LTS-support enabled which is not the case by default. For more information please see here: https://wiki.debian.org/LTS/Using
RedHat, CentOS and other systems based on rpm:
yum update glibc
emerge —update glib
Does your server have SLA2 or SLA3?
For servers for which an additional service level has been purchased the updates will be installed by us. You will only need to restart the server yourself at a moment which suits you. More information on this will be sent via mail shortly.
For more information about our additional service levels please see here:
About this vulnerability
More technical information about this vulnerability can be found here:
- The bugreport: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2015-0235
- The vulnerability announcement by the discoverers: http://www.openwall.com/lists/oss-security/2015/01/27/9
For more information
If you have any questions or remarks regarding this message, please send them to the CloudVPS Servicedesk at firstname.lastname@example.org. We will answer any and all questions you may have.