ESA-29: The GHOST Vulnerability in Glibc
====================================================================
Eucalyptus Security Advisory
Advisory ID: ESA-29
Issue Date: 2015-01-27
Last Updated: 2015-01-30
Severity Level: Critical
Affected Products: Eucalyptus 4.0.2 and earlier
CVE Number: CVE-2015-0235
====================================================================
OVERVIEW
------------
GHOST is a buffer overflow vulnerability in the GNU C library (glibc). The vulnerability was introduced in glibc-2.2. All hosts running Eucalyptus services should be upgraded to the latest glibc packages as soon as possible. Eucalyptus EMIs that are provided as a part of the Eucalyptus Imaging and Load Balancing services prior to Eucalyptus 4.1.0 release include vulnerable versions of glibc and are potentially affected by the vulnerability. We recommend updating all affected EMIs and instances launched from them as soon as possible.
This vulnerability can be exploited through calls to gethostbyname() and gethostbyname2() C functions and allows for execution of potentially arbitrary code if a number of preconditions is met.
Eucalyptus services and pre-bundled service EMIs do not directly expose the vulnerability, but because glibc is a commonly used library on Linux, the exact exposure is hard to determine. Any software performing domain name resolution is potentially vulnerable.
EMIs for Load Balancing and Imaging services for Eucalyptus 4.0.2 and prior releases contain a vulnerable version of the glibc library. The following packages are affected:
- eucalyptus-imaging-worker-image v1.0.2-0.49.165 and earlier
- eucalyptus-load-balancer-image v1.1.2-0.89.28 and earlier
SOLUTION
-------------
All hosts running Eucalyptus services should be upgraded to the latest glibc packages followed by a system reboot as soon as possible:
New Imaging Worker and Load Balancer EMIs are now available for 4.0 and contain the latest glibc packages:
- eucalyptus-imaging-worker-image-1.0.3-0.50.167.el6
- eucalyptus-load-balancer-image-1.1.3-0.90.37.el6
The packages can be found at:
http://downloads.eucalyptus.com/software/eucalyptus/4.0/
Instructions for installing the Load Balancer EMI can be found at:
https://www.eucalyptus.com/docs/eucalyptus/4.0.2/index.html#install-guide/configure_load_balancer.html
Instructions for installing the Imaging Worker EMI can be found at:
https://www.eucalyptus.com/docs/eucalyptus/4.0.2/index.html#install-guide/configure_imaging_service.html
WORKAROUND
-------------
To update to the latest glibc packages, instances started from previously released Load Balancing and Imaging service EMIs can be updated at runtime with the following commands: