Article ID: 128363, created on Feb 17, 2016, last review on Feb 18, 2016

  • Applies to:
  • Virtuozzo
  • Virtuozzo containers for Linux 4.7
  • Virtuozzo hypervisor

Situation

Source code analysis performed by Google Security Team and Red Hat Team discovered security issue reported as CVE-2015-7547.

During upstream review of the public open bug 18665 for glibc, it was discovered that the bug could lead to a stack-based buffer overflow.

The buffer overflow occurs in the function send_dg (UDP) and send_vc (TCP) for the NSS module libnss_dns.so.2 when calling getaddrinfo with AF_UNSPEC family and in some cases also with AF_INET6 before the fix in commit 8479f23a (only use gethostbyname4_r if PF_UNSPEC).

The use of AF_UNSPEC triggers the low-level resolver code to send out two parallel queries for A and AAAA. A mismanagement of the buffers used for those queries could result in the response writing beyond the allocated buffer created by __res_nquery.

This issue affects following operation systems:

  • RHEL 7 and its derivatives
  • RHEL 6 and its derivatives
  • Debian 6.0 (squeeze)
  • Debian 7.0 (wheezy)
  • Debian 8.0 (jessie)
  • Debian 9.0 (stretch)
  • Ubuntu 15.10 and its derivatives
  • Ubuntu 14.04 LTS and its derivatives
  • Ubuntu 12.04 LTS and its derivatives

Impact

There is a remote code execution risk due to this vulnerability. An attacker who exploits this issue can gain complete control of the compromised system.

More information about CVE-2015-7547 can be found in glibc project mailing list.

Call to Action

Parallels Virtual Automation

  1. Update host OS of a host or container where PVA Management Node is installed:

    # yum update glibc
    
  2. Restart PVA MN services:

    # service pvamnd restart
    # service pvacc restart
    

Virtuozzo 6

  1. It is recommended to update Virtuozzo 6 nodes by running following command:

    # yum update glibc 
    
  2. The package should be updated inside all the containers and Linux virtual machines running on the node as well.

    a. To update the package inside all running containers, please do the following:

    ~# for i in `vzlist -Ho ctid`; do vzpkg update $i -p glibc; done
    

    b. To update the package inside the stopped containers, you will need to start them temporarily:

    ~# vzctl start CTID
    ~# vzpkg update CTID -p glibc
    

    c. To update the package inside the virtual machines, use the package manager of the corresponding Linux distribution used as the Guest system inside of the VMs. The VMs need to be rebooted to apply the change.

  3. When all containers and virtual machines will be updated, it is necessary to reboot the hardware node.

Paralllels Virtuozzo Containers

The package should be updated on the node and inside all of the running containers as well.

  1. It is recommended to update Parallels Virtuozzo Containers for Linux nodes by running following command:

    # yum update glibc 
    
  2. To update the package inside all running containers, please do the following:

    ~# for i in `vzlist -Ho ctid`; do vzpkg update $i -p glibc; done
    
  3. To update the package inside the stopped containers, you will need to temporarily start them:

    ~# vzctl start CTID
    ~# vzpkg update CTID -p glibc
    
  4. When all containers will be updated, it is necessary to reboot the hardware node.

Virtuozzo takes the security of our customers very seriously and encourages you to take the recommended actions as soon as possible.

We also strongly encourage you to stay connected to Virtuozzo for important product-related information:

Related links

Search Words

USN-2900-1

Security

CVE-2015-7547

glibc

0dd5b9380c7d4884d77587f3eb0fa8ef 2897d76d56d2010f4e3a28f864d69223 d02f9caf3e11b191a38179103495106f e8e50b42231236b82df27684e7ec0beb 0c05f0c76fec3dd785e9feafce1099a9 a26b38f94253cdfbf1028d72cf3a498b

Email subscription for changes to this article
Save as PDF