Skip to Main Content

Hitachi Logo
earth icon
    mail icon Contact Us
    Hitachi Global
    Hitachi Global

    HIRT-PUB15001: GNU C Library (glibc) 'GHOST' issue in Hitachi products

    (VU#967332, CVE-2015-0235)

    Last Updated: February 6, 2015

    1. Overview

    GNU C Library (glibc) contains a heap buffer overflow vulnerability that may allow an attacker to remotely execute arbitrary code. This vulnerability has been assigned CVE-2015-0235, and is commonly referred to as "GHOST".

     

    January 27, 2015
    A buffer overflow vulnerability in the __nss_hostname_digits_dots() function of the glibc was disclosed to the public by Qualys. Security update for glibc vulnerability (CVE-2015-0235) has been released for most major Linux distributions.

    CVSS Severity

    CVE-2015-0235: glibc Remote Heap Buffer Overflow Vulnerability

     Base Metrics: 6.8
      Access Vector: Network
      Access Complexity: Medium
      Authentication: None
      Confidentiality Impact: Partial
      Integrity Impact: Partial
      Availability Impact: Partial

     

     Temporal Metrics 5.0 (January 29, 2014)
      Exploitablity: Unproven that exploit exists
      Remediation Level: Official fix
      Report Confidence: Confirmed

    http://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:P/I:P/A:P/E:U/RL:OF/RC:C)

    2. Affected Systems

    + All versions of glibc from glibc-2.2 (released 2010-11-10) until glibc-2.17 (released 2012-12-25)
    + Linux and UNIX distributions that use glibc
    + Hitachi Products that use glibc

    3. Impact

    By attacking a service that uses a vulnerable version of glibc, a remote, unauthenticated attacker may be able to execute arbitrary code.

    4. Solution

    Apply an update

    This issue is addressed in glibc. Followings are security update of Linux distributions. Also, please refer to the advisories in "5. Product Information" of Hitachi.

     

    CentOS

    CESA-2015:0090 Critical CentOS 5 glibc Security Update
    http://lists.centos.org/pipermail/centos-announce/2015-January/020906.html

    CESA-2015:0092 Critical CentOS 6 glibc Security Update
    http://lists.centos.org/pipermail/centos-announce/2015-January/020907.html

    CESA-2015:0092 Critical CentOS 7 glibc Security Update
    http://lists.centos.org/pipermail/centos-announce/2015-January/020908.html

     

    Debian

    DSA-3142-1 eglibc -- security update
    https://www.debian.org/security/2015/dsa-3142

     

    Red Hat

    RHSA-2015:0090 Critical: glibc security update
    https://rhn.redhat.com/errata/RHSA-2015-0090.html

    RHSA-2015:0092 Critical: glibc security update
    https://rhn.redhat.com/errata/RHSA-2015-0092.html

     

    SUSE

    CVE-2015-0235
    http://support.novell.com/security/cve/CVE-2015-0235.html

     

    Ubuntu

    USN-2485-1: GNU C Library vulnerability
    http://www.ubuntu.com/usn/usn-2485-1/

    5. Product Information

    February 6, 2015

    + Hitachi Server Products
        - Display/Keyboard unit/Switch Console Unit
        - Hitachi Server Navigator Installation Assistant

    HWS15-001: Solution of GNU C Library vulnerability (CVE-2015-0235) [Japanese]

    January 30, 2015

    + Hitachi Open Middleware Products
        - JP1
        - Cosminexus
        - HiRDB
        - Hitachi Command Suite
    + Hitachi Server Products
        - BladeSymphony / Hitachi Compute Blade BS2500/BS2000/BS500/BS320/BS1000
          CB2500/CB2000/CB500/CB320 series
        - Virtage/Logical partitioning manager
          (BladeSymphony/Hitachi Compute Blade BS2500/BS2000/BS500/BS320/BS1000
          CB2500/CB2000/CB500/CB320 series)
        - Hitachi Advanced Server HA8000 / Hitachi Compute Rack series
        - Hitachi Advanced Server HA8500 series
        - Hitachi Advanced Server HA8000 / Hitachi Compute Rack series
        - Entry Blade Server HA8000-bd series
        - HA8000-tc series
        - Client Blade FLORA bd100/bd500 series
        - Thin Client FLORA Se210/Se330 series
        - Client Intagrated Management Software (Hitachi bd Link)
        - Entry class disk array model BR1200
        - Tape Library
        - Hitachi UPS/Management software/Hitachi UPS option, PowerMonitor H, PowerMonitor H for Network,
          SNMP interface card, Disk interface card, SNMP+Disk interface card
        - Hitachi Server Navigator Update Manager, Log Collect, Log Monitor, Alive Monitor, RAID Navigatorr
        - Hitachi Fibre Channel - Path Control Manager
    + Hitachi Storage Products
        - Hitachi Virtual File Platform
        - Hitachi Data Ingestor
        - Hitachi NAS Platform F
        - Hitachi Adaptable Modular Storage 2000, BR1600 (HSNM2)
        - Hitachi Unified Storage 100, BR1650 (HSNM2)
        - Hitachi Tape Array (TF) (HSNM2)
        - Hitachi Universal Storage Platform V/VM
        - Hitachi Virtual Storage Platform
        - Hitachi Virtual Storage Platform G1000
        - BCM
        - Hitachi Storage Related Products (FC-SW)

    HWS15-001: Solution of GNU C Library vulnerability (CVE-2015-0235) [Japanese]

    January 29, 2015

    The issue is currently under investigation.

    6. References

    VU#967332: GNU C Library (glibc) __nss_hostname_digits_dots() function vulnerable to buffer overflow (2015-01-28)
    http://www.kb.cert.org/vuls/id/967332

    CVE-2015-0235
    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0235

    Qualys Security Advisory CVE-2015-0235 GHOST: glibc gethostbyname buffer overflow (2015-01-27)
    https://www.qualys.com/research/security-advisories/GHOST-CVE-2015-0235.txt

    The GNU C Library (glibc)
    http://www.gnu.org/software/libc/

    7. Update history

    February 6, 2015

    • Updated: Product Information in "February 6, 2015".

    February 2, 2015

    • Updated: Product Information in "January 30, 2015".

    January 29, 2015

    • This webpage was newly created and published.

    Masato Terada (HIRT) and Naoko Ohnishi (HIRT)