Article ID: 124311, created on Jan 28, 2015, last review on Jun 17, 2016

  • Applies to:
  • Virtuozzo
  • Virtuozzo containers for Linux
  • Virtuozzo hypervisor
  • Virtual Automation

Situation

During a code audit performed internally at Qualys a heap-based buffer overflow was found in glibc's "__nss_hostname_digits_dots()" function, which is used by the gethostbyname() and gethostbyname2() glibc function calls.

Impact

There is a remote code execution risk due to this vulnerability. An attacker who exploits this issue can gain complete control of the compromised system.

More information about CVE-2015-0235 can be found in Qualys Blog and on Openwall website.st-vulnerability") and on Openwall website.

Call to Action

Parallels Virtual Automation

  1. Update host OS of PVA Management Node and a node, where PVA Agent runs:

    For RedHat based OSes:

    # yum update glibc
    

    For Debian/Ubuntu based OSes:

    # apt-get install --only-upgrade libc6
    

    For SUSE:

    # yast2 --update glibc
    
  2. Restart PVA services:

    On Management node:

    # service pvamnd restart
    # service pvacc restart
    

    On nodes with PVA Agent:

    # service pvaagentd restart
    # service pvapp restart        
    

Parallels Cloud Server

  1. It is recommended to update Parallels Cloud Server nodes by yum update .

  2. The package should be updated inside all the containers and Linux virtual machines running on the node as well.

    a. To update the package inside all running containers, please do the following:

    ~# for i in `vzlist -Ho ctid`; do vzpkg update $i -p glibc; done
    

    b. To update the package inside the stopped containers, you will need to temporarily start them:

    ~# vzctl start CTID
    ~# vzpkg update CTID -p glibc
    

    c. To update the package inside the virtual machines, use the package manager of the corresponding Linux distribution used as the Guest system inside of the VMs. The VMs need to be rebooted to apply the change.

  3. When all containers and virtual machines will be updated, it is necessary to reboot the hardware node.

Paralllels Virtuozzo Containers

The package should be updated on the node and inside all of the running containers as well.

  1. It is recommended to update Parallels Virtuozzo Containers nodes by yum update .

  2. To update the package inside all running containers, please do the following:

    ~# for i in `vzlist -Ho ctid`; do vzpkg update $i -p glibc; done
    
  3. To update the package inside the stopped containers, you will need to temporarily start them:

    ~# vzctl start CTID
    ~# vzpkg update CTID -p glibc
    
  4. When all containers will be updated, it is necessary to reboot the hardware node.

Parallels takes the security of our customers very seriously and encourages you to take the recommended actions as soon as possible.

We also strongly encourage you to stay connected to Parallels for important product-related information via these methods:

Search Words

Glibc GHOST Vulnerability

CVE-2015-0235

Security Advisory

glibc

a26b38f94253cdfbf1028d72cf3a498b 2897d76d56d2010f4e3a28f864d69223 d02f9caf3e11b191a38179103495106f e8e50b42231236b82df27684e7ec0beb 0dd5b9380c7d4884d77587f3eb0fa8ef 319940068c5fa20655215d590b7be29b

Email subscription for changes to this article
Save as PDF