High vulnerabilities on DevTest images

book

Article ID: 129763

calendar_today

Updated On:

Products

CA Application Test Service Virtualization CA Continuous Application Insight (PathFinder) CA Service Virtualization (DevTest / LISA / VSE / Application Test)

Issue/Introduction

We did a scan on DevTest image  and found couple of high vulnerabilities and they reported as below: 
1.    SEVERITY NOTE 
Note that this vulnerability was originally given a CVSSv2 score of 7.2 by NVD but was subsequently reclassified as High by Ubuntu 
In glibc 2.26 and earlier there is confusion in the usage of getcwd() by realpath() which can be used to write before the destination buffer leading to a buffer underflow and potential code execution. 

2.    SEVERITY NOTE 
Note that this vulnerability was originally given a CVSSv2 score of 5 by NVD but was subsequently reclassified as High by Ubuntu 

In systemd through 233, certain sizes passed to dns_packet_new in systemd-resolved can cause it to allocate a buffer that's too small. A malicious DNS server can exploit this via a response with a specially crafted TCP payload to trick systemd-resolved into allocating a buffer that's too small, and subsequently write arbitrary data beyond the end of it.

Cause

This is caused by  GNU C Library vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 17.10
  • Ubuntu 16.04 LTS
  • Ubuntu 14.04 LTS

Environment

Ubuntu 
All supported DevTest images

Resolution

The problem can be corrected by updating your system to the following package versions mentioned in the link below: 
https://usn.ubuntu.com/3534-1/ 

https://usn.ubuntu.com/3341-1/ 

Please upgrade their libc6 and systemd. 
Powered by Wolken Software