CA Application TestService VirtualizationCA Continuous Application Insight (PathFinder)CA Service Virtualization (DevTest / LISA / VSE / Application Test)
Issue/Introduction
We did a scan on DevTest image and found couple of high vulnerabilities and they reported as below: 1. SEVERITY NOTE Note that this vulnerability was originally given a CVSSv2 score of 7.2 by NVD but was subsequently reclassified as High by Ubuntu In glibc 2.26 and earlier there is confusion in the usage of getcwd() by realpath() which can be used to write before the destination buffer leading to a buffer underflow and potential code execution.
2. SEVERITY NOTE Note that this vulnerability was originally given a CVSSv2 score of 5 by NVD but was subsequently reclassified as High by Ubuntu
In systemd through 233, certain sizes passed to dns_packet_new in systemd-resolved can cause it to allocate a buffer that's too small. A malicious DNS server can exploit this via a response with a specially crafted TCP payload to trick systemd-resolved into allocating a buffer that's too small, and subsequently write arbitrary data beyond the end of it.
Cause
This is caused by GNU C Library vulnerabilities
A security issue affects these releases of Ubuntu and its derivatives:
Ubuntu 17.10
Ubuntu 16.04 LTS
Ubuntu 14.04 LTS
Environment
Ubuntu All supported DevTest images
Resolution
The problem can be corrected by updating your system to the following package versions mentioned in the link below: https://usn.ubuntu.com/3534-1/