Canonical, Red Hat
- Ubuntu 10.04 (Lucid), 12.04 (Precise), CentOS 6.
A heap-based buffer overflow was found in __nss_hostname_digits_dots(), which is used by the gethostbyname() and gethostbyname2() glibc function call. A remote attacker could use this flaw to execute arbitrary code with the permissions of the user running the application.
Affected VMware Products and Versions
Severity is critical unless otherwise noted.
- All versions of Cloud Foundry BOSH stemcells running Ubuntu 10.04 (Lucid), 12.04 (Precise), and CentOS.
- All versions of Cloud Foundry Runtime through v196
- Pivotal CF and Pivotal Operations Manager 22.214.171.124 to 126.96.36.199
- All Pivotal CF Services through 188.8.131.52
- Ubuntu 14.04 (Trusty) stemcells are not vulnerable.
- Buildpacks for ruby, php, nodejs, goloang and java are not vulnerable.
Users of affected versions should apply the following mitigation:
- The Cloud Foundry project recommends that Ubuntu 10.04 (Lucid) BOSH Stemcells be upgraded to the Ubuntu 14.04 (Trusty) Stemcells.
- The Cloud Foundry BOSH team has released stemcell 2829 for CentOS 6 which uses patched CentOS packages. The Cloud Foundry project recommends that CentOS 6 stemcell users upgrade to CentOS stemcell 2829.
- The Cloud Foundry Runtime team has completed on a patch release of Ubuntu 10.04 (Lucid) root file system which is now available in Runtime v197. Applications running on Cloud Foundry Runtime that statically link to glibc need to be restaged after upgrading.
- If an application or buildpack statically links to glibc it must restage after the runtime upgrade.
- Binaries included in a custom buildpack or application must be scanned and patched as needed by the application developer responsible for those assets.
- The Pivotal CF team has finished patches to Elastic Runtime to resolve this vulnerability. Elastic Runtime 1.3.4 includes the patch. Pivotal recommends that customers upgrade to Elastic Runtime 1.3.4.
- Applications running on Elastic Runtime that statically link to glibc need to be restaged after upgrading.
- A patched version of glibc will be included in Ops Manager 1.4. This release is tentatively scheduled for calendar Q1 of 2015.
- Per VMware and Pivotal security policies, only Critical/Severe defects receive an urgent out-of-release cycle patch or expedited release. Low severity defects do not alter the release schedule. Moderate severity defects are evaluated on a case-by-case basis.
Qualys and Alexander Peslyak of the Openwall Project