CVE-2015-0235 - GHOST - Current Status

292 views

Skip to first unread message

Matt Reider

unread,

Jan 28, 2015, 1:11:18 PM1/28/15

to vcap...@cloudfoundry.org

Severity:

Critical

Vendor:

Canonical, Red Hat

Versions Affected:

Ubuntu 10.04, 12.04, CentOS 6.

Description:

A heap-based buffer overflow was found in __nss_hostname_digits_dots(), which is used by the gethostbyname() and gethostbyname2() glibc function call. A remote attacker could use this flaw to execute arbitrary code with the permissions of the user running the application.

Affected Pivotal Products and Versions:

All versions of Cloud Foundry BOSH stemcells running Ubuntu Lucid and Cent OS
All versions of Cloud Foundry Runtime through v196

Mitigation:

The Cloud Foundry project recommends that Ubuntu Lucid BOSH Stemcells be upgraded to the Ubuntu Trusty Stemcells (currently version 2824).
The Cloud Foundry BOSH team will work on a patch release of the CentOS 6 Stemcell when patched Centos packages are available. This notice will be updated when fixes are available.
The Cloud Foundry Runtime team is actively working on a patch release of Ubuntu 10.04 root file system. Applications running on Cloud Foundry Runtime need to be restaged after upgrading.

All PWS (Pivotal Web Services) users should restage applications after the runtime upgrade as well.

Credit:

Qualys and Alexander Peslyak of the Openwall Project

References:

Pivotal:

* Pivotal Security Team page

* [This advisory]

OpenWall:

http://www.openwall.com/lists/oss-security/2015/01/27/9

Other:

BOSH Stemcells

Cloud Foundry Release

Reply all

Reply to author

Forward

This conversation is locked

You cannot reply and perform actions on locked conversations.

0 new messages