FYI the blog post mentioned below now has links to updated SSVM templates.
> On Jan 28, 2015, at 11:49 AM, John Kinsella <j...@stratosec.co> wrote:
>
> Folks - just posted mitigation details at [1]. An updated SSVM template is
> being QAed, once released the post will be updated with links and we’ll
> mention here as well.
>
> John
> 1: https://blogs.apache.org/cloudstack/entry/cloudstack_and_the_ghost_glibc
>
> On Jan 28, 2015, at 4:55 AM, Rohit Yadav
> <rohit.ya...@shapeblue.com<mailto:rohit.ya...@shapeblue.com>> wrote:
>
> Hi,
>
> While it's a general public news, everyone is requested and encouraged
> to use the security mailing list in future to report anything. For more
> details please read: http://cloudstack.apache.org/security.html
>
> Thanks and regards.
>
> On Wednesday 28 January 2015 03:34 PM,
> linux...@gmail.com<mailto:linux...@gmail.com> wrote:
> A critical vulnerability has been found in glibc, the GNU C library,
> that affects all Linux systems dating back to 2000. Attackers can use
> this flaw to execute code and remotely gain control of Linux machines.
>
> The issue stems from a heap-based buffer overflow found in the
> __nss_hostname_digits_dots() function in glibc. That particular
> function is used by the _gethostbyname function calls.
>
> Related Posts
>
> Shellshock Worm Exploiting Unpatched QNAP NAS Devices
>
> December 15, 2014 , 11:35 am
>
> Linux Modules Connected to Turla APT Discovered
>
> December 9, 2014 , 10:26 am
>
> Bash Exploit Reported, First Round of Patches Incomplete
>
> September 25, 2014 , 11:41 am
>
> “A remote attacker able to make an application call either of these
> functions could use this flaw to execute arbitrary code with the
> permissions of the user running the application,” said an advisory
> from Linux distributor Red Hat.
>
> The vulnerability, CVE-2015-0235, has already been nicknamed GHOST
> because of its relation to the _gethostbyname function. Researchers at
> Qualys discovered the flaw, and say it goes back to glibc version 2.2
> in Linux systems published in November 2000.
>
> According to Qualys, there is a mitigation for this issue that was
> published May 21, 2013 between patch glibc-2.17 versions and
> glibc-2.18.
>
> “Unfortunately, it was not recognized as a security threat; as a
> result, most stable and long-term-support distributions were left
> exposed (and still are): Debian 7 (wheezy), Red Hat Enterprise Linux 6
> & 7, CentOS 6 & 7, Ubuntu 12.04, for example,” said an advisory from
> Qualys posted to the OSS-Security mailing list.
>
> Respective Linux distributions will be releasing patches; Red Hat has
> released an update for Red Hat Enterprise Linux v.5 server. Novell has
> a list of SUSE Linux Enterprise Server builds affected by the
> vulnerability. Debian has already released an update of its software
> addressing the vulnerability.
>
> “It’s everywhere, which is kind of the urgency we have here. This has
> been in glibc for a long time. It was fixed recently, but it was not
> marked as a security issue, so things that are fairly new should be
> OK,” said Josh Bressers, a member of the Red Hat security response
> team. “From a threat level, what it comes down to is a handful of
> stuff that’s probably dangerous that uses this function.”
>
> Unlike past Internet-wide bugs such as Bash, patching glibc may not be
> the chore it was with Bash since so many components made silent Bash
> calls.
>
> “In this instance, you just apply the glibc update, and restart any
> services that are vulnerable,” Bressers said. “It’s not confusing like
> Shellshock was.”
>
> Qualys, in its advisory, not only shares extremely in-depth technical
> information on the vulnerability, but also includes a section
> explaining exploitation of the Exim SMTP mail server. The advisory
> demonstrates how to bypass NX, or No-eXecute protection as well as
> glibc malloc hardening, Qualys said.
>
> Qualys also said that in addition to the 2013 patch, other factors
> mitigate the impact of the vulnerability, including the fact that the
> gethostbyname functions are obsolete because of IPv6 and newer
> applications using a different call, getaddrinfo(). While the flaw is
> also exploitable locally, this scenario too is mitigated because many
> programs rely on gethostbyname only if another preliminary call fails
> and a secondary call succeeds in order to reach the overflow. The
> advisory said this is “impossible” and those programs are safe.
>
> There are mitigations against remote exploitation too, Qualys said.
> Servers, for example, use gethostbyname to perform full-circle reverse
> DNS checks. “These programs are generally safe because the hostname
> passed to gethostbyname() has normally been pre-validated by DNS
> software,” the advisory.
>
> “It’s not looking like a huge remote problem, right now,” Bressers said.
>
> However, while the bug may have been dormant since 2000, there is no
> way to tell if criminals or government-sponsored hackers have been
> exploiting this vulnerability. Nor is there any way to tell what will
> happen once legitimate security researchers—and black hats—begin
> looking at the vulnerability now that it’s out in the open. With Bash,
> for example, it didn’t take long for additional security issues to
> rise to the surface.
>
> - See more at:
> https://threatpost.com/ghost-glibc-remote-code-execution-vulnerability-affects-all-linux-systems/110679#sthash.3JH6GJTL.dpuf
>
>
>
>
>
>
>
> --
> Regards,
> Rohit Yadav
> Software Architect, ShapeBlue
> M. +91 8826230892 |
> rohit.ya...@shapeblue.com<mailto:rohit.ya...@shapeblue.com>
> Blog: bhaisaab.org<http://bhaisaab.org/> | Twitter: @_bhaisaab
> PS. If you see any footer below, I did not add it :)
> Find out more about ShapeBlue and our range of CloudStack related services
>
> IaaS Cloud Design & Build<http://shapeblue.com/iaas-cloud-design-and-build//>
> CSForge – rapid IaaS deployment framework<http://shapeblue.com/csforge/>
> CloudStack Consulting<http://shapeblue.com/cloudstack-consultancy/>
> CloudStack Software
> Engineering<http://shapeblue.com/cloudstack-software-engineering/>
> CloudStack Infrastructure
> Support<http://shapeblue.com/cloudstack-infrastructure-support/>
> CloudStack Bootcamp Training
> Courses<http://shapeblue.com/cloudstack-training/>
>
> This email and any attachments to it may be confidential and are intended
> solely for the use of the individual to whom it is addressed. Any views or
> opinions expressed are solely those of the author and do not necessarily
> represent those of Shape Blue Ltd or related companies. If you are not the
> intended recipient of this email, you must neither take any action based upon
> its contents, nor copy or show it to anyone. Please contact the sender if you
> believe you have received this email in error. Shape Blue Ltd is a company
> incorporated in England & Wales. ShapeBlue Services India LLP is a company
> incorporated in India and is operated under license from Shape Blue Ltd.
> Shape Blue Brasil Consultoria Ltda is a company incorporated in Brasil and is
> operated under license from Shape Blue Ltd. ShapeBlue SA Pty Ltd is a company
> registered by The Republic of South Africa and is traded under license from
> Shape Blue Ltd. ShapeBlue is a registered trademark.
>
