Security Advisory: Critical glibc Security Vulnerability
Posted by Kevin Stange on 27 January 2015 12:40 PM |
|
A vulnerability has recently been disclosed in the GNU C Library (glibc) which affects all systems running CentOS 5 - 7, and Debian 7 "Wheezy." This vulnerability is serious and may allow a remote user to trick your server into running code with the privilege level of a service like web or mail. This vulnerability exists in all common versions of glibc through 2.17. It was fixed in version 2.18 in mid-2013 but was not regarded as a security issue and so no security release was made for previous versions at the time. This issue is known as the "GHOST" vulnerability. It has been assigned the ID CVE-2015-0235 in the Common Vulnerabilities and Exposures database. Qualys, the company that discovered the vulnerability, has published a useful article explaining what GHOST is. Windows servers do not use glibc. You may wish to check any third-party software you have installed for bulletins and updates, if applicable. Some third-party applications include a separate copy of glibc instead of using the operating system version. CentOS and Debian have patched this vulnerability as of January 27th, 2015. To completely patch this vulnerability, you must update your glibc package and then restart all services that use glibc. Because of the fact that glibc is used by nearly every application in Linux, it is strongly recommended that you reboot your server after installing the update to ensure nothing is missed. CentOS To check which version of glibc is installed, run the following command: rpm -q glibc The version number should be greater than or equal to the following, based on the version of CentOS you are using:
When reading a version number from left to right, if you reach a number that is higher than the above version for your OS, you likely already have a patched version. For example, 2.5-124 is newer than 2.5-123.el5_11.1. If you have any doubt, please contact support and we will be happy to review your system. If your version number is lower, please run the following command and ensure an update to the openssl package is included: yum -y update glibc If no update is available, please try the following commands, then repeat the command above: yum clean metadata After the upgrade processes, you should restart your web server and all other services running on your system. For example, to restart your web server, you can run the following command: service httpd restart If you have a control panel, you should step through each service listed in the "Services" area of the control panel and restart them one by one. If you have any doubts about which services to restart, we recommend restarting your entire server. You can do this by running the command: reboot Red Hat published the following advisories regarding this vulnerability:
Debian 7 To check which version of glibc is installed, run the following command: dpkg -s libc6 | grep Version The version number should be greater than or equal to 2.13-38+deb7u7. The notable part to look for is the "+deb7u7" at the end. If the last number is not 7 or higher, or the part after "+" is missing, you will need to upgrade. If your version number is lower, please run the following command and ensure an update to the libc6 packages are included: apt-get update For example, to restart your web server, you can run the following command: service apache2 restart If you have a control panel, you should step through each service listed in the "Services" area of the control panel and restart them one by one. If you have any doubts about which services to restart, we recommend restarting your entire server. You can do this by running the command: reboot Debian published the following advisories regarding this vulnerability:
If you have any questions or need assistance performing these upgrades, please contact us and we'll be happy to help. | |