EGI SVG Advisories

Advisory-SVG-CVE-2015-7547

Title:   EGI SVG Advisory [TLP:White] "Critical" risk glibc remote code
         execution [EGI-SVG-CVE-2015-7547]

Date:    2016-02-17
Updated:

** WHITE information - Unlimited distribution - see
https://go.egi.eu/tlp for distribution restrictions **


Affected Software and Risk
==========================

'Critical' risk vulnerability allowing remote code execution in most linux
distributions

Package : glibc
CVE ID  : CVE-2015-7547

Actions Required/Recommended
============================

All running resources MUST be patched by 2016-02-24  21:00 UTC.

Sites failing to act and/or failing to respond to requests from the EGI CSIRT
team risk site suspension.

Sites should note that it is necessary to re-start all services, it may be
simplest to re-boot after installation of the updates.

Affected software Details.
==========================

RedHat 6, RedHat 7 plus their derivatives [R 1]

Ubuntu is affected [R 2]

Debian is affected [R 3]

For SL6 See [R 4]

For SL7 See [R 5]

CentOS [R 6]


More information
================

More info on this vulnerability is at [R 7]

Google states they were able to carry out remote code execution, but did not
release the exploit.

So far no exploit has been found which allows this vulnerability to be
exploited in the EGI Infrastructure. We cannot be sure that there isn't
potentially a serious exploit which would work in the EGI infrastructure which
we are not aware of, therefore due to this and the high level of publicity this
vulnerability has received it has been assessed as 'Critical'.

It is also noted that this vulnerability affects almost all linux based
systems, including a very wide variety of applications, not just the EGI
infrastructure.

Mitigation
==========

N/A.


Component installation information
==================================

See Vendors web sites

RedHat 6, RedHat 7 [R 1]

Ubuntu is affected [R 2]

Debian is affected [R 3]

For SL6 See [R 4]

For SL7 See [R 5]

For CentOS See [R 6]


URL
===

URL:   https://advisories.egi.eu/2015/Advisory-SVG-CVE-2015-7547

Minor updates may be made without re-distribution to the sites

Credit
======

SVG was alerted to this vulnerability by David Crooks

References
==========

[R 1] https://access.redhat.com/security/cve/cve-2015-7547

[R 2] http://people.canonical.com/~ubuntu-security/cve/2015/CVE-2015-7547.html

[R 3] https://security-tracker.debian.org/tracker/CVE-2015-7547

[R 4] https://www.scientificlinux.org/sl-errata/slsa-20160175-1/

[R 5] https://www.scientificlinux.org/sl-errata/slsa-20160176-1/

[R 6] https://www.centosblog.com/new-glibc-exploit-found-patch-for-cve-2015-7547-available-now/

[R 7] https://googleonlinesecurity.blogspot.co.uk/2016/02/cve-2015-7547-glibc-getaddrinfo-stack.html


Comments
========

Comments or questions should be sent to svg-rat at mailman.egi.eu


Timeline
========
Yyyy-mm-dd  [EGI-SVG-CVE-2015-7547]

2016-02-16 (evening) SVG alerted to this issue by David Crooks
2016-02-17 Acknowledgement from the EGI SVG to the reporter
2016-02-17 Investigation of vulnerability and relevance to EGI carried out by
           (as appropriate)
2016-02-17 EGI SVG Risk Assessment completed
2016-02-17 Updated packages available for RHEL, Ubuntu, Debian, SL6, SL7,
           CentOS
2016-02-17 Advisory/Alert sent to sites