Re: glibc vulnerable (CVE-2015-7547)

2016-03-01 Thread John Kinsella 
We (ACS security team) are aware of the glibc vulnerability, and yes a 
vulnerable version exists in the current supported version of the system VM 
image. The question though, which I’ve been trying to figure out is does the 
code running on the secondary storage VM, console proxy, or virtual router 
actually call the vulnerable code, and do so in a manner which a malicious 
party could leverage the vulnerability on the VM in a usable way.

Basically a malicious user would have to compromise the DNS resolver that the 
System VM uses for DNS resolution, and then get System VM to execute 
(basically) a reverse DNS lookup to that compromised DNS server. I don’t think 
the chance of this is significant.

All that said, best move right now is probably to update glibc if you can do so.

In the future, I’d ask if you have questions about security-related issues with 
CloudStack, to contact secur...@cloudstack.apache.org. Once we have a solid 
feel on this in the coming days, we’ll put out a blog post and/or update.

John

> On Feb 22, 2016, at 7:00 AM, Stephan Seitz 
>  wrote:
> 
> 
>> is the latest system vm template vulnerable to CVE-2015-7547 
>> (https://security-tracker.debian.org/tracker/CVE-2015-7547)?
>> I cannot find anything about it in the mailinglist and/or CS page.
> 
> If you ssh into the system-VMs, you'll find the vulnurable version of
> libc.
> 
> to mitigate this, we've updated the libc (and only the installed
> libc-packages) in the running system-VMs and rebooted them.
> 
> Additionally, we've updated the libc in the respective template.
> Since we're using XenServer, thats a vhd located at the 2nd. storage,
> which we've chroot'ed into, using blktap2, kpartx and mount.
> 
> cheers,
> 
> - Stephan
> 
> 
> 
>

Re: glibc vulnerable (CVE-2015-7547)

2016-02-22 Thread Stephan Seitz 

> is the latest system vm template vulnerable to CVE-2015-7547 
> (https://security-tracker.debian.org/tracker/CVE-2015-7547)?
> I cannot find anything about it in the mailinglist and/or CS page.

If you ssh into the system-VMs, you'll find the vulnurable version of
libc.

to mitigate this, we've updated the libc (and only the installed
libc-packages) in the running system-VMs and rebooted them.

Additionally, we've updated the libc in the respective template.
Since we're using XenServer, thats a vhd located at the 2nd. storage,
which we've chroot'ed into, using blktap2, kpartx and mount.

cheers,

- Stephan

glibc vulnerable (CVE-2015-7547)

2016-02-22 Thread S . Brüseke - proIO GmbH 
Hi,

is the latest system vm template vulnerable to CVE-2015-7547 
(https://security-tracker.debian.org/tracker/CVE-2015-7547)?
I cannot find anything about it in the mailinglist and/or CS page.

Mit freundlichen Grüßen / With kind regards,

Swen




- proIO GmbH -
Geschäftsführer: Swen Brüseke
Sitz der Gesellschaft: Frankfurt am Main

USt-IdNr. DE 267 075 918
Registergericht: Frankfurt am Main - HRB 86239

Diese E-Mail enthält vertrauliche und/oder rechtlich geschützte Informationen. 
Wenn Sie nicht der richtige Adressat sind oder diese E-Mail irrtümlich erhalten 
haben, 
informieren Sie bitte sofort den Absender und vernichten Sie diese Mail. 
Das unerlaubte Kopieren sowie die unbefugte Weitergabe dieser Mail sind nicht 
gestattet. 

This e-mail may contain confidential and/or privileged information. 
If you are not the intended recipient (or have received this e-mail in error) 
please notify 
the sender immediately and destroy this e-mail.  
Any unauthorized copying, disclosure or distribution of the material in this 
e-mail is strictly forbidden.