ESA-29: The GHOST Vulnerability in Glibc
====================================================================
Eucalyptus Security Advisory
Advisory ID: ESA-29
Issue Date: 2015-01-27
Last Updated: 2015-01-27
Severity Level: Critical
Affected Products: Eucalyptus 4.0.2 and earlier
CVE Number: CVE-2015-0235
====================================================================
OVERVIEW
------------
GHOST is a buffer overflow vulnerability in the GNU C library (glibc). The vulnerability was introduced in glibc-2.2. All hosts running Eucalyptus services should be upgraded to the latest glibc packages as soon as possible. Eucalyptus EMIs that are provided as a part of the Eucalyptus Imaging and Load Balancing services include vulnerable versions of glibc and are potentially affected by the vulnerability. We are working on providing an updated set of images to include the latest fixes.
DESCRIPTION
-------------
A heap-based buffer overflow vulnerability, called GHOST, has been discovered in glibc:
http://www.openwall.com/lists/oss-security/2015/01/27/9
This is avulnerability can be exploited through calls to gethostbyname*() C functions and allows for execution of potentially arbitrary code if a number of preconditions is met.
Eucalyptus services and pre-bundled service EMIs do not directly expose the vulnerability, but because glibc is a commonly used library on Linux, the exact exposure is hard to estimate. Any software performing domain name resolution is potentially vulnerable. All hosts running Eucalyptus services should be upgraded to the latest glibc packages as soon as possible:
-
http://www.spinics.net/lists/centos-announce/msg05569.html
-
https://rhn.redhat.com/errata/RHSA-2015-0092.html
EMIs for Load Balancing and Imaging services for Eucalyptus 4.0.2 and prior releases contain a vulnerable version of the glibc library and new EMIs will be made available shortly.
WORKAROUND
-------------
To update to the latest glibc packages, instances started from the Load Balancing and Imaging service EMIs can be updated at runtime with the following command:
# yum update glibc
CONTACT and HELP
-------------
Contact the Eucalyptus Security Team at
secu...@eucalyptus.com.