High vulnerabilities on DevTest images
Article ID: 129763
Updated On:
Products
CA Application Test
Service Virtualization
CA Continuous Application Insight (PathFinder)
Issue/Introduction
We did a scan on DevTest image and found couple of high vulnerabilities and they reported as below:
1. SEVERITY NOTE
Note that this vulnerability was originally given a CVSSv2 score of 7.2 by NVD but was subsequently reclassified as High by Ubuntu
In glibc 2.26 and earlier there is confusion in the usage of getcwd() by realpath() which can be used to write before the destination buffer leading to a buffer underflow and potential code execution.
2. SEVERITY NOTE
Note that this vulnerability was originally given a CVSSv2 score of 5 by NVD but was subsequently reclassified as High by Ubuntu
In systemd through 233, certain sizes passed to dns_packet_new in systemd-resolved can cause it to allocate a buffer that's too small. A malicious DNS server can exploit this via a response with a specially crafted TCP payload to trick systemd-resolved into allocating a buffer that's too small, and subsequently write arbitrary data beyond the end of it.
1. SEVERITY NOTE
Note that this vulnerability was originally given a CVSSv2 score of 7.2 by NVD but was subsequently reclassified as High by Ubuntu
In glibc 2.26 and earlier there is confusion in the usage of getcwd() by realpath() which can be used to write before the destination buffer leading to a buffer underflow and potential code execution.
2. SEVERITY NOTE
Note that this vulnerability was originally given a CVSSv2 score of 5 by NVD but was subsequently reclassified as High by Ubuntu
In systemd through 233, certain sizes passed to dns_packet_new in systemd-resolved can cause it to allocate a buffer that's too small. A malicious DNS server can exploit this via a response with a specially crafted TCP payload to trick systemd-resolved into allocating a buffer that's too small, and subsequently write arbitrary data beyond the end of it.
Cause
This is caused by GNU C Library vulnerabilities
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 17.10
- Ubuntu 16.04 LTS
- Ubuntu 14.04 LTS
Environment
Ubuntu
All supported DevTest images
All supported DevTest images
Resolution
The problem can be corrected by updating your system to the following package versions mentioned in the link below:
https://usn.ubuntu.com/3534-1/
https://usn.ubuntu.com/3341-1/
Please upgrade their libc6 and systemd.
https://usn.ubuntu.com/3534-1/
https://usn.ubuntu.com/3341-1/
Please upgrade their libc6 and systemd.
Feedback
Yes
No
Powered by
