OracleVM 2.2 : glibc (OVMSA-2015-0024) (GHOST)

High Nessus Plugin ID 81119

Synopsis

The remote OracleVM host is missing one or more security updates.

Description

The remote OracleVM system is missing necessary patches to address critical security updates :

- Switch to use malloc when the input line is too long [Orabug 19951108]

- Use a /sys/devices/system/cpu/online for
_SC_NPROCESSORS_ONLN implementation [Orabug 17642251] (Joe Jin)

- Fix parsing of numeric hosts in gethostbyname_r (CVE-2015-0235, #1183532).

- Remove gconv transliteration loadable modules support (CVE-2014-5119, - _nl_find_locale: Improve handling of crafted locale names (CVE-2014-0475,

- Fix patch for integer overflows in *valloc and memalign.
(CVE-2013-4332, #1011805).

- Fix return code when starting an already started nscd daemon (#979413).

- Fix getnameinfo for many PTR record queries (#1020486).

- Return EINVAL error for negative sizees to getgroups (#995207).

- Fix integer overflows in *valloc and memalign.
(CVE-2013-4332, #1011805).

- Add support for newer L3 caches on x86-64 and correctly count the number of hardware threads sharing a cacheline (#1003420).

- Revert incomplete fix for bug #758193.

- Fix _nl_find_msg malloc failure case, and callers (#957089).

- Test on init_fct, not result->__init_fct, after demangling (#816647).

- Don't handle ttl == 0 specially (#929035).

- Fix multibyte character processing crash in regexp (CVE-2013-0242, #951132)

- Fix getaddrinfo stack overflow resulting in application crash (CVE-2013-1914, #951132)

- Add missing patch to avoid use after free (#816647)

- Fix race in initgroups compat_call (#706571)

- Fix return value from getaddrinfo when servers are down.
(#758193)

- Fix fseek on wide character streams. Sync's seeking code with RHEL 6 (#835828)

- Call feraiseexcept only if exceptions are not masked (#861871).

- Always demangle function before checking for NULL value.
(#816647).

- Do not fail in ttyname if /proc is not available (#851450).

- Fix errno for various overflow situations in vfprintf.
Add missing overflow checks. (#857387)

- Handle failure of _nl_explode_name in all cases (#848481)

- Define the default fuzz factor to 2 to make it easier to manipulate RHEL 5 RPMs on RHEL 6 and newer systems.

- Fix race in intl/* testsuite (#849202)

- Fix out of bounds array access in strto* exposed by 847930 patch.

- Really fix POWER4 strncmp crash (#766832).

- Fix integer overflow leading to buffer overflow in strto* (#847930)

- Fix race in msort/qsort (#843672)

- Fix regression due to 797096 changes (#845952)

- Do not use PT_IEEE_IP ptrace calls (#839572)

- Update ULPs (#837852)

- Fix various transcendentals in non-default rounding modes (#837852)

- Fix unbound alloca in vfprintf (#826947)

- Fix iconv segfault if the invalid multibyte character 0xffff is input when converting from IBM930. (#823905)

- Fix fnmatch when '*' wildcard is applied on a file name containing multibyte chars. (#819430)

- Fix unbound allocas use in glob_in_dir, getaddrinfo and others. (#797096)

- Fix segfault when running ld.so --verify on some DSO's in current working directory. (#808342)

- Incorrect initialization order for dynamic loader (#813348)

- Fix return code when stopping already stopped nscd daemon (#678227)

- Remove MAP_32BIT for pthread stack mappings, use MAP_STACK instead (#641094)

- Fix setuid vs sighandler_setxid race (#769852)

- Fix access after end of search string in regex matcher (#757887)

- Fix POWER4 strncmp crash (#766832)

- Fix SC_*CACHE detection for X5670 cpus (#692182)

- Fix parsing IPV6 entries in /etc/resolv.conf (#703239)

- Fix double-free in nss_nis code (#500767)

- Add kernel VDSO support for s390x (#795896)

- Fix race in malloc arena creation and make implementation match documented behaviour (#800240)

- Do not override TTL of CNAME with TTL of its alias (#808014)

- Fix short month names in fi_FI locale #(657266).

- Fix nscd crash for group with large number of members (#788989)

- Fix Slovakia currency (#799853)

- Fix getent malloc failure check (#806403)

- Fix short month names in zh_CN locale (#657588)

- Fix decimal point symbol for Portuguese currency (#710216)

- Avoid integer overflow in sbrk (#767358)

- Avoid race between [,__de]allocate_stack and
__reclaim_stacks during fork (#738665)

- Fix race between IO_flush_all_lockp & pthread_cancel (#751748)

- Fix memory leak in NIS endgrent (#809325)

- Allow getaddr to accept SCTP socket types in hints (#765710)

- Fix errno handling in vfprintf (#794814)

- Filter out <built-in> when building file lists (#784646).

- Avoid 'nargs' integer overflow which could be used to bypass FORTIFY_SOURCE (#794814)

- Fix currency_symbol for uk_UA (#639000)

Solution

Update the affected glibc / glibc-common / nscd packages.

See Also

http://www.nessus.org/u?b908cf01

Plugin Details

Severity: High

ID: 81119

File Name: oraclevm_OVMSA-2015-0024.nasl

Version: 1.18

Type: local

Published: 2015/02/02

Updated: 2019/09/27

Dependencies: 12634

Risk Information

Risk Factor: High

CVSS v2.0

Base Score: 7.6

Temporal Score: 6.6

Vector: CVSS2#AV:N/AC:H/Au:N/C:C/I:C/A:C

Temporal Vector: CVSS2#E:H/RL:OF/RC:C

Vulnerability Information

CPE: p-cpe:/a:oracle:vm:glibc, p-cpe:/a:oracle:vm:glibc-common, p-cpe:/a:oracle:vm:nscd, cpe:/o:oracle:vm_server:2.2

Required KB Items: Host/local_checks_enabled, Host/OracleVM/release, Host/OracleVM/rpm-list

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 2015/01/30

Vulnerability Publication Date: 2013/02/08

Exploitable With

Core Impact

Metasploit (Exim GHOST (glibc gethostbyname) Buffer Overflow)

Reference Information

CVE: CVE-2013-0242, CVE-2013-1914, CVE-2013-4332, CVE-2014-0475, CVE-2014-5119, CVE-2015-0235

BID: 57638, 58839, 62324, 68505, 68983, 69738, 72325