Skip to main content

Hitachi

Hitachi Incident Response Team

Hitachi Incident Response Team

HIRT-PUB15001: GNU C Library (glibc) 'GHOST' issue in Hitachi products

(VU#967332, CVE-2015-0235)

Last Updated: February 6, 2015

1. Overview

GNU C Library (glibc) contains a heap buffer overflow vulnerability that may allow an attacker to remotely execute arbitrary code. This vulnerability has been assigned CVE-2015-0235, and is commonly referred to as "GHOST".

January 27, 2015
A buffer overflow vulnerability in the __nss_hostname_digits_dots() function of the glibc was disclosed to the public by Qualys. Security update for glibc vulnerability (CVE-2015-0235) has been released for most major Linux distributions.

CVSS Severity

CVE-2015-0235: glibc Remote Heap Buffer Overflow Vulnerability

 Base Metrics: 6.8
  Access Vector: Network
  Access Complexity: Medium
  Authentication: None
  Confidentiality Impact: Partial
  Integrity Impact: Partial
  Availability Impact: Partial

 Temporal Metrics 5.0 (January 29, 2014)
  Exploitablity: Unproven that exploit exists
  Remediation Level: Official fix
  Report Confidence: Confirmed

2. Affected Systems

+ All versions of glibc from glibc-2.2 (released 2010-11-10) until glibc-2.17 (released 2012-12-25)
+ Linux and UNIX distributions that use glibc
+ Hitachi Products that use glibc

3. Impact

By attacking a service that uses a vulnerable version of glibc, a remote, unauthenticated attacker may be able to execute arbitrary code.

4. Solution

Apply an update

This issue is addressed in glibc. Followings are security update of Linux distributions. Also, please refer to the advisories in "5. Product Information" of Hitachi.

5. Product Information

February 6, 2015

+ Hitachi Server Products
    - Display/Keyboard unit/Switch Console Unit
    - Hitachi Server Navigator Installation Assistant

January 30, 2015

+ Hitachi Open Middleware Products
    - JP1
    - Cosminexus
    - HiRDB
    - Hitachi Command Suite
+ Hitachi Server Products
    - BladeSymphony / Hitachi Compute Blade BS2500/BS2000/BS500/BS320/BS1000
      CB2500/CB2000/CB500/CB320 series
    - Virtage/Logical partitioning manager
      (BladeSymphony/Hitachi Compute Blade BS2500/BS2000/BS500/BS320/BS1000
      CB2500/CB2000/CB500/CB320 series)
    - Hitachi Advanced Server HA8000 / Hitachi Compute Rack series
    - Hitachi Advanced Server HA8500 series
    - Hitachi Advanced Server HA8000 / Hitachi Compute Rack series
    - Entry Blade Server HA8000-bd series
    - HA8000-tc series
    - Client Blade FLORA bd100/bd500 series
    - Thin Client FLORA Se210/Se330 series
    - Client Intagrated Management Software (Hitachi bd Link)
    - Entry class disk array model BR1200
    - Tape Library
    - Hitachi UPS/Management software/Hitachi UPS option, PowerMonitor H, PowerMonitor H for Network,
      SNMP interface card, Disk interface card, SNMP+Disk interface card
    - Hitachi Server Navigator Update Manager, Log Collect, Log Monitor, Alive Monitor, RAID Navigatorr
    - Hitachi Fibre Channel - Path Control Manager
+ Hitachi Storage Products
    - Hitachi Virtual File Platform
    - Hitachi Data Ingestor
    - Hitachi NAS Platform F
    - Hitachi Adaptable Modular Storage 2000, BR1600 (HSNM2)
    - Hitachi Unified Storage 100, BR1650 (HSNM2)
    - Hitachi Tape Array (TF) (HSNM2)
    - Hitachi Universal Storage Platform V/VM
    - Hitachi Virtual Storage Platform
    - Hitachi Virtual Storage Platform G1000
    - BCM
    - Hitachi Storage Related Products (FC-SW)

January 29, 2015

The issue is currently under investigation.

6. References

7. Update history

February 6, 2015
  • Updated: Product Information in "February 6, 2015".
February 2, 2015
  • Updated: Product Information in "January 30, 2015".
January 29, 2015
  • This webpage was newly created and published.

Masato Terada (HIRT) and Naoko Ohnishi (HIRT)