SVG:Advisory-CVE-2015-7547
Jump to navigation
Jump to search
Main page | Software Security Checklist | Issue Handling | Advisories | Notes On Risk | Advisory Template | More |
Advisory-CVE-2015-7547
Title: EGI SVG Advisory [TLP:White] "Critical" risk glibc remote code execution [EGI-SVG-CVE-2015-7547] Date: 2016-02-17 Updated: ** WHITE information - Unlimited distribution - see https://wiki.egi.eu/wiki/EGI_CSIRT:TLP for distribution restrictions*** Affected Software and Risk ========================== 'Critical' risk vulnerability allowing remote code execution in most linux distributions Package : glibc CVE ID : CVE-2015-7547 Actions Required/Recommended ============================ All running resources MUST be patched by 2016-02-24 21:00 UTC. Sites failing to act and/or failing to respond to requests from the EGI CSIRT team risk site suspension. Sites should note that it is necessary to re-start all services, it may be simplest to re-boot after installation of the updates. Affected software Details. ========================== RedHat 6, RedHat 7 plus their derivatives [R 1] Ubuntu is affected [R 2] Debian is affected [R 3] For SL6 See [R 4] For SL7 See [R 5] CentOS [R 6] More information ================ More info on this vulnerability is at [R 7] Google states they were able to carry out remote code execution, but did not release the exploit. So far no exploit has been found which allows this vulnerability to be exploited in the EGI Infrastructure. We cannot be sure that there isn't potentially a serious exploit which would work in the EGI infrastructure which we are not aware of, therefore due to this and the high level of publicity this vulnerability has received it has been assessed as 'Critical'. It is also noted that this vulnerability affects almost all linux based systems, including a very wide variety of applications, not just the EGI infrastructure. Mitigation ========== N/A. Component installation information ================================== See Vendors web sites RedHat 6, RedHat 7 [R 1] Ubuntu is affected [R 2] Debian is affected [R 3] For SL6 See [R 4] For SL7 See [R 5] For CentOS See [R 6] URL === URL: https://wiki.egi.eu/wiki/SVG:Advisory-CVE-2015-7547 Minor updates may be made without re-distribution to the sites Credit ====== SVG was alerted to this vulnerability by David Crooks References ========== [R 1] https://access.redhat.com/security/cve/cve-2015-7547 [R 2] http://people.canonical.com/~ubuntu-security/cve/2015/CVE-2015-7547.html [R 3] https://security-tracker.debian.org/tracker/CVE-2015-7547 [R 4] https://www.scientificlinux.org/sl-errata/slsa-20160175-1/ [R 5] https://www.scientificlinux.org/sl-errata/slsa-20160176-1/ [R 6] https://www.centosblog.com/new-glibc-exploit-found-patch-for-cve-2015-7547-available-now/ [R 7] https://googleonlinesecurity.blogspot.co.uk/2016/02/cve-2015-7547-glibc-getaddrinfo-stack.html Comments ======== Comments or questions should be sent to svg-rat at mailman.egi.eu Timeline ======== Yyyy-mm-dd [EGI-SVG-CVE-2015-7547] 2016-02-16 (evening) SVG alerted to this issue by David Crooks 2016-02-17 Acknowledgement from the EGI SVG to the reporter 2016-02-17 Investigation of vulnerability and relevance to EGI carried out by (as appropriate) 2016-02-17 EGI SVG Risk Assessment completed 2016-02-17 Updated packages available for RHEL, Ubuntu, Debian, SL6, SL7, CentOS 2016-02-17 Advisory/Alert sent to sites