CVE-2015-0235


Severity

Critical

Vendor

Canonical, Red Hat

Versions Affected
  • Ubuntu 10.04 (Lucid), 12.04 (Precise), CentOS 6.
Description

A heap-based buffer overflow was found in __nss_hostname_digits_dots(), which is used by the gethostbyname() and gethostbyname2() glibc function call. A remote attacker could use this flaw to execute arbitrary code with the permissions of the user running the application.

Affected Pivotal Products and Versions

Severity is critical unless otherwise noted.

  • All versions of Cloud Foundry BOSH stemcells running Ubuntu 10.04 (Lucid), 12.04 (Precise), and CentOS.
  • All versions of Cloud Foundry Runtime through v196
  • Pivotal CF and Pivotal Operations Manager 1.0.0.0 to 1.3.4.0
  • All Pivotal CF Services through 1.3.0.0
Unaffected Products
  • Ubuntu 14.04 (Trusty) stemcells are not vulnerable.
  • Buildpacks for ruby, php, nodejs, goloang and java are not vulnerable.
Mitigation

Users of affected versions should apply the following mitigation:

  • The Cloud Foundry project recommends that Ubuntu 10.04 (Lucid) BOSH Stemcells be upgraded to the Ubuntu 14.04 (Trusty) Stemcells.
  • The Cloud Foundry BOSH team has released stemcell 2829 for CentOS 6 which uses patched CentOS packages. The Cloud Foundry project recommends that CentOS 6 stemcell users upgrade to CentOS stemcell 2829.
  • The Cloud Foundry Runtime team has completed on a patch release of Ubuntu 10.04 (Lucid) root file system which is now available in Runtime v197. Applications running on Cloud Foundry Runtime that statically link to glibc need to be restaged after upgrading.
    • If an application or buildpack statically links to glibc it must restage after the runtime upgrade.
    • Binaries included in a custom buildpack or application must be scanned and patched as needed by the application developer responsible for those assets.
  • The Pivotal CF team has finished patches to Elastic Runtime to resolve this vulnerability. Elastic Runtime 1.3.4 includes the patch. Pivotal recommends that customers upgrade to Elastic Runtime 1.3.4.
    • Applications running on Elastic Runtime that statically link to glibc need to be restaged after upgrading.
  • Pivotal is working on a patch for PHD for Pivotal CF to resolve this vulnerability
  • Pivotal does not anticipate Ops Manager customers will encounter the conditions triggering CVE-2015-0235, and consider these defects low severity in relation to the Ops Manager product.
    • A patched version of glibc will be included in Ops Manager 1.4. This release is tentatively scheduled for calendar Q1 of 2015.
    • Per VMware and Pivotal security policies, only Critical/Severe defects receive an urgent out-of-release cycle patch or expedited release. Low severity defects do not alter the release schedule. Moderate severity defects are evaluated on a case-by-case basis.
  • Credit

    Qualys and Alexander Peslyak of the Openwall Project

    References