An IT security alert update for a known vulnerability has been released for GNU libc. You can read about which operating systems and products are affected by the security gap here on news.de.
The Federal Office for Security in Information Technology (BSI) reported a security advisory for GNU libc on October 4th, 2023. The security vulnerability affects the operating systems UNIX and Linux as well as the products Oracle Linux, Gentoo Linux and open source GNU libc. This warning was last updated on October 9, 2023.
The latest manufacturer recommendations regarding updates, workarounds and security patches for this vulnerability can be found here: Oracle Linux Security Advisory ELSA-2023-12851 (As of October 6, 2023). Other useful links are listed later in this article.
Security advisory for GNU libc ā Risk: high
Risk level: 5 (high)
CVSS Base Score: 7,8
CVSS Temporal Score: 7,0
Remote attack: No
The Common Vulnerability Scoring System (CVSS) is used to assess the severity of vulnerabilities in computer systems. The CVSS standard makes it possible to compare potential or actual security vulnerabilities based on various criteria in order to create a priority list for taking countermeasures. The attributes ānoneā, ālowā, āmediumā, āhighā and ācriticalā are used to determine the severity levels of a vulnerability. The Base Score evaluates the requirements for an attack (including authentication, complexity, privileges, user interaction) and its consequences. The temporal score also takes changes over time in the danger situation into account. The risk of the vulnerability discussed here is classified as āhighā according to the CVSS with a base score of 7.8.
GNU libc bug: Vulnerability allows privilege escalation
The GNU libc is the base C library under Linux and other Unix operating systems, which provides the system calls and basic functionality.
A local attacker could exploit a vulnerability in GNU libc to execute arbitrary program code with administrative privileges or escalate their privileges.
The vulnerability was classified using the CVE designation system (Common Vulnerabilities and Exposures) by the individual serial number CVE-2023-4911.
Systems affected by the security gap at a glance
Operating systems
UNIX, Linux
Products
Oracle Linux (cpe:/o:oracle:linux)
Gentoo Linux (cpe:/o:gentoo:linux)
Open Source GNU libc (cpe:/a:gnu:glibc)
General recommendations for dealing with IT vulnerabilities
Users of the affected systems should keep them up to date. When security gaps become known, manufacturers are required to fix them as quickly as possible by developing a patch or a workaround. If security patches are available, install them promptly. For information, consult the sources listed in the next section. These often contain further information about the latest version of the software in question as well as the availability of security patches or information about workarounds. If you have any further questions or uncertainties, please contact your responsible administrator. IT security managers should regularly check the sources mentioned to see whether a new security update is available.
Manufacturer information on updates, patches and workarounds
Here you will find further links with information about bug reports, security fixes and workarounds.
Oracle Linux Security Advisory ELSA-2023-12851 vom 2023-10-06 (09.10.2023)
For more information, see:
Oracle Linux Security Advisory ELSA-2023-12854 vom 2023-10-06 (09.10.2023)
For more information, see:
PoCās on seclists.org (05.10.2023)
For more information, see:
Oracle Linux Security Advisory ELSA-2023-12850 vom 2023-10-05 (05.10.2023)
For more information, see:
Github Security Advisory vom 2023-10-03 (04.10.2023)
For more information, see:
GNU C Library Security Notification vom 2023-10-03 (04.10.2023)
For more information, see:
Gentoo Linux Security Advisory GLSA-202310-03 vom 2023-10-04 (04.10.2023)
For more information, see:
Version history of this security alert
This is the 3rd version of this IT security notice for GNU libc. If further updates are announced, this text will be updated. You can see the changes made using the version history below.
October 4th, 2023 ā Initial version
October 5, 2023 ā Exploit added
October 9, 2023 ā New updates to Oracle Linux added
+++ Editorial note: This text was created using AI based on current BSI data. We accept feedback and comments at [email protected]. +++
follow News.de already at Facebook, Twitter, Pinterest and YouTube? Here you will find hot news, current videos and a direct line to the editorial team.
roj/news.de