GNU libc: New vulnerability! Linux and F5 Networks affected

The Federal Office for Security in der Informationstechnik (BSI) published an update on April 17th, 2023 to a security gap with several vulnerabilities for GNU libc that became known on January 20th, 2016. The Linux and F5 Networks operating systems and the products Red Hat Enterprise Linux, Ubuntu Linux, F5 BIG-IP, IBM BladeCenter, Oracle Linux and Open Source GNU libc are affected by the vulnerability.

The latest manufacturer recommendations regarding updates, workarounds and security patches for this vulnerability can be found here: IBM Security Bulletin 868518 (Status: 04/14/2023). Other useful sources are listed later in this article.

Multiple vulnerabilities for GNU libc – risk: medium

Risk level: 4 (medium)
CVSS Base Score: 7,3
CVSS Temporal Score: 6,6
Remoteangriff: Ja

The Common Vulnerability Scoring System (CVSS) is used to assess the severity of vulnerabilities in computer systems. The CVSS standard makes it possible to compare potential or actual security vulnerabilities based on various criteria in order to create a priority list based on this for initiating countermeasures. The attributes “none”, “low”, “medium”, “high” and “critical” are used for the severity of a vulnerability. The base score assesses the prerequisites for an attack (including authentication, complexity, privileges, user interaction) and its consequences. With the temporal score, framework conditions that change over time are included in the evaluation. The severity of the current vulnerability is classified as “medium” according to the CVSS with a base score of 7.3.

GNU libc bug: description of the attack

The GNU libc is the base C library under Linux and other Unix operating systems, which provides the system calls and basic functionality.

A remote, anonymous attacker could exploit several vulnerabilities in GNU libc to execute arbitrary code, bypass security features, disclose information, or cause a denial of service condition.

The vulnerability is identified with the unique CVE serial numbers (Common Vulnerabilities and Exposures) CVE-2014-9761, CVE-2015-8776, CVE-2015-8777, CVE-2015-8778 und CVE-2015-8779 traded.

Systems affected by the vulnerability at a glance

operating systems
Linux, F5 Networks

Products
Red Hat Enterprise Linux (cpe:/o:redhat:enterprise_linux)
SUSE Linux Enterprise Desktop (cpe:/o:suse:linux_enterprise_desktop)
Ubuntu Linux (cpe:/o:canonical:ubuntu_linux)
F5 BIG-IP (cpe:/a:f5:big-ip)
F5 ARX (cpe:/a:f5:arx)
SUSE Linux Enterprise Server (cpe:/o:suse:linux_enterprise_server)
IBM BladeCenter (cpe:/h:ibm:bladecenter)
Oracle Linux (cpe:/o:oracle:linux)
Open Source GNU libc < 2.23 (cpe:/a:gnu:glibc)

General measures to deal with IT vulnerabilities

1. Users of the affected systems should keep them up to date. When security gaps become known, manufacturers are required to remedy them as quickly as possible by developing a patch or a workaround. If security patches are available, install them promptly.

2. For information, consult the sources listed in the next section. These often contain further information on the latest version of the software in question and the availability of security patches or tips on workarounds.

3. If you have any further questions or are uncertain, please contact your responsible administrator. IT security managers should regularly check when the manufacturing company makes a new security update available.

Sources for updates, patches and workarounds

Here you will find further links with information about bug reports, security fixes and workarounds.

IBM Security Bulletin 868518 vom 2023-04-14 (17.04.2023)
For more information, see: https://www.ibm.com/support/pages/node/868518

Oracle Linux Security Advisory ELSA-2017-3601 vom 2017-08-09 (10.08.2017)
For more information, see: http://linux.oracle.com/errata/ELSA-2017-3601.html

RedHat Security Advisory: RHSA-2017:1916 (02.08.2017)
For more information, see: https://access.redhat.com/errata/RHSA-2017:1916

Red Hat Security Advisory RHSA-2017:0680 vom 2017-03-21 (21.03.2017)
For more information, see: https://access.redhat.com/errata/RHSA-2017:0680

F5 Security Advisory SOL31211252 vom 2016-06-01 (01.06.2016)
For more information, see: https://support.f5.com/kb/en-us/solutions/public/k/31/sol31211252.html

Ubuntu Security Notice USN-2985-2 vom 2016-05-26 (27.05.2016)
For more information, see: http://www.ubuntu.com/usn/usn-2985-2/

Ubuntu Security Notice USN-2985-1 vom 2016-05-26 (27.05.2016)
For more information, see: http://www.ubuntu.com/usn/usn-2985-1/

F5 Security Advisory sol39250133 vom 2016-04-20 (21.04.2016)
For more information, see: https://support.f5.com/kb/en-us/solutions/public/k/39/sol39250133.html?ref=rss

F5 Security Advisory sol51079478 vom 2016-04-07 (08.04.2016)
For more information, see: https://support.f5.com/kb/en-us/solutions/public/k/51/sol51079478.html

F5 Security Advisory sol23946311 vom 2016-04-01 (04.04.2016)
For more information, see: https://support.f5.com/kb/en-us/solutions/public/k/23/sol23946311.html?ref=rss

SUSE Security Update SUSE-SU-2016:0778-1 vom 2016-03-15 (16.03.2016)
For more information, see: https://lists.opensuse.org/opensuse-security-announce/2016-03/msg00051.html

SUSE Security Update SUSE-SU-2016:0778-1 vom 2016-03-15 (16.03.2016)
For more information, see: https://lists.opensuse.org/opensuse-security-announce/2016-03/msg00051.html

SUSE Security Update SUSE-SU-2016:0748-1 vom 2016-03-14 (15.03.2016)
For more information, see: https://www.suse.com/support/update/announcement/2016/suse-su-20160748-1.html

SUSE Security Update SUSE-SU-2016:0472-1 vom 2016-02-16 (17.02.2016)
For more information, see: http://lists.opensuse.org/opensuse-security-announce/2016-02/msg00038.html

SUSE Security Update SUSE-SU-2016:0473-1 vom 2016-02-16 (17.02.2016)
For more information, see: http://lists.opensuse.org/opensuse-security-announce/2016-02/msg00039.html

SUSE Security Update SUSE-SU-2016:0471-1 vom 2016-02-16 (17.02.2016)
For more information, see: http://lists.opensuse.org/opensuse-security-announce/2016-02/msg00037.html

SUSE Security Update SUSE-SU-2016:0470-1 vom 2016-02-16 (17.02.2016)
For more information, see: http://lists.opensuse.org/opensuse-security-announce/2016-02/msg00036.html

Debian Security Advisory DSA-3480 vom 2016-02-17 (17.02.2016)
For more information, see: https://www.debian.org/security/2016/dsa-3480

Debian Security Advisory DSA-3481 vom 2016-02-17 (17.02.2016)
For more information, see: https://www.debian.org/security/2016/dsa-3481

glibc catopen() Multiple unbounded stack allocations POC vom 2016-01-19 (20.01.2016)
For more information, see: https://cxsecurity.com/issue/WLB-2016010149

OSS Security Mailinglist vom 2016-01-19 (20.01.2016)
For more information, see: http://seclists.org/oss-sec/2016/q1/153

Version history of this security alert

This is the 21st version of this IT Security Advisory for GNU libc. If further updates are announced, this text will be updated. You can read about changes or additions in this version history.

20.01.2016 – Initial Release
01/20/2016 – Version not available
01/20/2016 – Version not available
17.02.2016 – New remediations available
17.02.2016 – New remediations available
17.02.2016 – New remediations available
17.02.2016 – New remediations available
17.02.2016 – New remediations available
02/17/2016 – Version not available
15.03.2016 – New remediations available
16.03.2016 – New remediations available
03/16/2016 – Version not available
08.04.2016 – New remediations available
04/08/2016 – Version not available
27.05.2016 – New remediations available
05/27/2016 – Version not available
01.06.2016 – New remediations available
21.03.2017 – New remediations available
24.07.2017 – Added references
08.08.2017 – Added references
04/17/2023 – Added new updates from IBM

+++ Editorial note: This text was created with AI support based on current BSI data. We accept feedback and comments at [email protected]. +++

follow News.de already at Facebook, Twitter, Pinterest and YouTube? Here you will find the latest news, the latest videos and the direct line to the editors.

roj/news.de