High vulnerabilities on DevTest images

Article Id: 129763
Status: Published
Updated On: 20-03-2019 07:25
Products:
CA Application Test , Service Virtualization , CA Continuous Application Insight (PathFinder)
Issue/Introduction:

We did a scan on DevTest image  and found couple of high vulnerabilities and they reported as below: 
1.    SEVERITY NOTE 
Note that this vulnerability was originally given a CVSSv2 score of 7.2 by NVD but was subsequently reclassified as High by Ubuntu 
In glibc 2.26 and earlier there is confusion in the usage of getcwd() by realpath() which can be used to write before the destination buffer leading to a buffer underflow and potential code execution. 

2.    SEVERITY NOTE 
Note that this vulnerability was originally given a CVSSv2 score of 5 by NVD but was subsequently reclassified as High by Ubuntu 

In systemd through 233, certain sizes passed to dns_packet_new in systemd-resolved can cause it to allocate a buffer that's too small. A malicious DNS server can exploit this via a response with a specially crafted TCP payload to trick systemd-resolved into allocating a buffer that's too small, and subsequently write arbitrary data beyond the end of it.

Cause:

This is caused by  GNU C Library vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 17.10
  • Ubuntu 16.04 LTS
  • Ubuntu 14.04 LTS

Environment:

Ubuntu 
All supported DevTest images

Resolution:

The problem can be corrected by updating your system to the following package versions mentioned in the link below: 
https://usn.ubuntu.com/3534-1/ 

https://usn.ubuntu.com/3341-1/ 

Please upgrade their libc6 and systemd.