ESA-29: Update on the GHOST Vulnerability
4 views
Skip to first unread message
Eucalyptus Security Team
Jan 29, 2015, 12:51:30 PM1/29/15
to security...@eucalyptus.com
ESA-29: The GHOST Vulnerability in Glibc
====================================================================
Eucalyptus Security Advisory
Advisory ID: ESA-29
Issue Date: 2015-01-27
Last Updated: 2015-01-29
Severity Level: Critical
Affected Products: Eucalyptus 4.0.2 and earlier
CVE Number: CVE-2015-0235
====================================================================
OVERVIEW
------------
GHOST is a buffer overflow vulnerability in the GNU C library (glibc). The vulnerability was introduced in glibc-2.2. All hosts running Eucalyptus services should be upgraded to the latest glibc packages as soon as possible. Eucalyptus EMIs that are provided as a part of the Eucalyptus Imaging and Load Balancing services include vulnerable versions of glibc and are potentially affected by the vulnerability. We are working on providing an updated set of images to include the latest fixes.
DESCRIPTION
-------------
A heap-based buffer overflow vulnerability, called GHOST, has been discovered in glibc:
https://www.qualys.com/research/security-advisories/GHOST-CVE-2015-0235.txt
This vulnerability can be exploited through calls to gethostbyname*() C functions and allows for execution of potentially arbitrary code if a number of preconditions is met.
Eucalyptus services and pre-bundled service EMIs do not directly expose the vulnerability, but because glibc is a commonly used library on Linux, the exact exposure is hard to estimate. Any software performing domain name resolution is potentially vulnerable. All hosts running Eucalyptus services should be upgraded to the latest glibc packages following by a system reboot as soon as possible:
- http://www.spinics.net/lists/centos-announce/msg05569.html
- https://rhn.redhat.com/errata/RHSA-2015-0092.html
- https://access.redhat.com/articles/1332213
EMIs for Load Balancing and Imaging services for Eucalyptus 4.0.2 and prior releases contain a vulnerable version of the glibc library and new EMIs will be made available shortly.
WORKAROUND
-------------
To update to the latest glibc packages, instances started from the Load Balancing and Imaging service EMIs can be updated at runtime with the following commands:
# yum update glibc
# reboot
The reboot is the safest way to ensure that the glibc update is picked up by all affected services.
CONTACT and HELP
-------------
Contact the Eucalyptus Security Team at secu...@eucalyptus.com.
====================================================================
Eucalyptus Security Advisory
Advisory ID: ESA-29
Issue Date: 2015-01-27
Last Updated: 2015-01-29
Severity Level: Critical
Affected Products: Eucalyptus 4.0.2 and earlier
CVE Number: CVE-2015-0235
====================================================================
OVERVIEW
------------
GHOST is a buffer overflow vulnerability in the GNU C library (glibc). The vulnerability was introduced in glibc-2.2. All hosts running Eucalyptus services should be upgraded to the latest glibc packages as soon as possible. Eucalyptus EMIs that are provided as a part of the Eucalyptus Imaging and Load Balancing services include vulnerable versions of glibc and are potentially affected by the vulnerability. We are working on providing an updated set of images to include the latest fixes.
DESCRIPTION
-------------
A heap-based buffer overflow vulnerability, called GHOST, has been discovered in glibc:
https://www.qualys.com/research/security-advisories/GHOST-CVE-2015-0235.txt
This vulnerability can be exploited through calls to gethostbyname*() C functions and allows for execution of potentially arbitrary code if a number of preconditions is met.
Eucalyptus services and pre-bundled service EMIs do not directly expose the vulnerability, but because glibc is a commonly used library on Linux, the exact exposure is hard to estimate. Any software performing domain name resolution is potentially vulnerable. All hosts running Eucalyptus services should be upgraded to the latest glibc packages following by a system reboot as soon as possible:
- http://www.spinics.net/lists/centos-announce/msg05569.html
- https://rhn.redhat.com/errata/RHSA-2015-0092.html
- https://access.redhat.com/articles/1332213
EMIs for Load Balancing and Imaging services for Eucalyptus 4.0.2 and prior releases contain a vulnerable version of the glibc library and new EMIs will be made available shortly.
WORKAROUND
-------------
To update to the latest glibc packages, instances started from the Load Balancing and Imaging service EMIs can be updated at runtime with the following commands:
# yum update glibc
# reboot
The reboot is the safest way to ensure that the glibc update is picked up by all affected services.
CONTACT and HELP
-------------
Contact the Eucalyptus Security Team at secu...@eucalyptus.com.
Eucalyptus Security Team
Jan 30, 2015, 10:13:31 PM1/30/15
to security...@eucalyptus.com
ESA-29: The GHOST Vulnerability in Glibc
====================================================================
Eucalyptus Security Advisory
Advisory ID: ESA-29
Issue Date: 2015-01-27
Last Updated: 2015-01-30
====================================================================
Eucalyptus Security Advisory
Advisory ID: ESA-29
Issue Date: 2015-01-27
Severity Level: Critical
Affected Products: Eucalyptus 4.0.2 and earlier
CVE Number: CVE-2015-0235
====================================================================
OVERVIEW
------------
GHOST is a buffer overflow vulnerability in the GNU C library (glibc). The vulnerability was introduced in glibc-2.2. All hosts running Eucalyptus services should be upgraded to the latest glibc packages as soon as possible. Eucalyptus EMIs that are provided as a part of the Eucalyptus Imaging and Load Balancing services prior to Eucalyptus 4.1.0 release include vulnerable versions of glibc and are potentially affected by the vulnerability. We recommend updating all affected EMIs and instances launched from them as soon as possible.
Affected Products: Eucalyptus 4.0.2 and earlier
CVE Number: CVE-2015-0235
====================================================================
OVERVIEW
------------
DESCRIPTION
-------------
A heap-based buffer overflow vulnerability, called GHOST, has been discovered in glibc:
https://www.qualys.com/research/security-advisories/GHOST-CVE-2015-0235.txt
Eucalyptus services and pre-bundled service EMIs do not directly expose the vulnerability, but because glibc is a commonly used library on Linux, the exact exposure is hard to determine. Any software performing domain name resolution is potentially vulnerable.
EMIs for Load Balancing and Imaging services for Eucalyptus 4.0.2 and prior releases contain a vulnerable version of the glibc library. The following packages are affected:
- eucalyptus-imaging-worker-image v1.0.2-0.49.165 and earlier
- eucalyptus-load-balancer-image v1.1.2-0.89.28 and earlier
SOLUTION
-------------
All hosts running Eucalyptus services should be upgraded to the latest glibc packages followed by a system reboot as soon as possible:
- http://www.spinics.net/lists/centos-announce/msg05569.html
- https://rhn.redhat.com/errata/RHSA-2015-0092.html
- https://access.redhat.com/articles/1332213
New Imaging Worker and Load Balancer EMIs are now available for 4.0 and contain the latest glibc packages:
- https://rhn.redhat.com/errata/RHSA-2015-0092.html
- https://access.redhat.com/articles/1332213
- eucalyptus-imaging-worker-image-1.0.3-0.50.167.el6
- eucalyptus-load-balancer-image-1.1.3-0.90.37.el6
The packages can be found at:
http://downloads.eucalyptus.com/software/eucalyptus/4.0/
Instructions for installing the Load Balancer EMI can be found at:
https://www.eucalyptus.com/docs/eucalyptus/4.0.2/index.html#install-guide/configure_load_balancer.html
Instructions for installing the Imaging Worker EMI can be found at:
https://www.eucalyptus.com/docs/eucalyptus/4.0.2/index.html#install-guide/configure_imaging_service.html
WORKAROUND
-------------
To update to the latest glibc packages, instances started from previously released Load Balancing and Imaging service EMIs can be updated at runtime with the following commands:
Reply all
Reply to author
Forward
0 new messages