8.1 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
6.8 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:P/I:P/A:P
0.974 High
EPSS
Percentile
99.9%
GNU glibc
contains a buffer overflow vulnerability in the DNS resolver, which may allow a remote attacker to execute arbitrary code.
CWE-121**: Stack-based Buffer Overflow -**CVE-2015-7547
According to a Google security blog post:
“The glibc
DNS client side resolver is vulnerable to a stack-based buffer overflow when the getaddrinfo()
library function is used. Software using this function may be exploited with attacker-controlled domain names, attacker-controlled DNS servers, or through a man-in-the-middle attack.”
According to glibc
developers, the vulnerable code was initially added in May 2008 as part of the development for glibc
2.9. All versions from 2.9 (originally released November 2008) to 2.22 appear to be affected.
More details and analysis are available in the patch announcement from glibc
developers.
The getaddrinfo()
function allows a buffer overflow condition in which arbitrary code may be executed. The impact may vary depending on if the use case is local or remote.
Apply an update
A patch for glibc
is available. Affected users should apply the patch as soon as possible. The patch will also be included as part of the upcoming glibc
2.23 release.
The Vendor Status information below provides more information on updates.
Some embedded operating systems or older, no longer supported versions of linux distributions may contain an older version of glibc
that is vulnerable. Please check with your vendor to find out if you need to upgrade to a newer operating system in order to address this issue.
457759
Filter by status: All Affected Not Affected Unknown
Filter by content: __ Additional information available
__ Sort by: Status Alphabetical
Expand all
Javascript is disabled. Click here to view vendors.
Notified: February 17, 2016 Updated: February 23, 2016
Affected
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: February 17, 2016 Updated: February 17, 2016
Statement Date: February 17, 2016
Affected
“Arista Networks is investigating the applicability of VU#457759 to our products. More information will be available as the investigation proceeds.”
We are not aware of further vendor information regarding this vulnerability.
Notified: February 17, 2016 Updated: February 26, 2016
Statement Date: February 26, 2016
Affected
“Blue Coat products using an affected version of the GNU C Library (glibc) are susceptible to a remote execution attack. A remote attacker can send a crafted DNS response to the glibc DNS resolver and cause the resolver to crash or execute arbitrary code.”
Fixes for the vulnerable products are pending. Please see the advisory below.
Notified: February 17, 2016 Updated: March 14, 2016
Affected
We have not received a statement from the vendor.
A patched version of glibc is available for CentOS. The forum discussion at the URL below provides further information.
Notified: February 17, 2016 Updated: February 18, 2016
Statement Date: February 18, 2016
Affected
We have not received a statement from the vendor.
Cisco has provided a security advisory which contains details of which products are affected at the URL below:
Notified: February 17, 2016 Updated: February 17, 2016
Statement Date: February 17, 2016
Affected
We have not received a statement from the vendor.
Debian has released glibc updates containing the patches. Please see the announcements below:
Notified: February 17, 2016 Updated: February 17, 2016
Affected
We have not received a statement from the vendor.
A detailed analysis and patch for glibc are available at the URL below.
Notified: February 17, 2016 Updated: February 17, 2016
Statement Date: February 17, 2016
Affected
We have not received a statement from the vendor.
glibc has been updated with the patch on Gentoo. Please see the Gentoo security advisory at the URL below.
<https://security.gentoo.org/glsa/201602-02>
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23457759 Feedback>).
Notified: February 17, 2016 Updated: February 17, 2016
Affected
We have not received a statement from the vendor.
glibc has been updated with the patch. Please see the Red Hat security advisory at the URL below.
Notified: February 17, 2016 Updated: February 17, 2016
Statement Date: February 17, 2016
Affected
We have not received a statement from the vendor.
Ubuntu has released a patched version of glibc. Please see the security advisory at the URL below:
Updated: February 18, 2016
Statement Date: February 18, 2016
Not Affected
“No version of our software is affected by VU#457759 (glibc vulnerable to stack buffer overflow in DNS resolver)
”
We are not aware of further vendor information regarding this vulnerability.
Notified: February 17, 2016 Updated: February 22, 2016
Statement Date: February 20, 2016
Not Affected
"Openwall GNU/*/Linux is not affected. We use a fork of a version of glibc predating the introduction of this vulnerability.
We have previously patched the somewhat related GHOST vulnerability."
We are not aware of further vendor information regarding this vulnerability.
Notified: February 17, 2016 Updated: February 17, 2016
Statement Date: February 17, 2016
Not Affected
PC-BSD is based upon FreeBSD, and as such does not use glibc by default for any native *BSD applications. As such, it is not vulnerable to CVE-2015-7547.
PC-BSD does allow running Linux applications through emulation, in which case users should ensure their packages / VM’s are updated in accordance with upstream methods.
We are not aware of further vendor information regarding this vulnerability.
Updated: February 18, 2016
Statement Date: February 18, 2016
Not Affected
“The TCPWave DNS Appliances and TCPWave Sharkcage Appliances do not use a vulnerable version of glibc in the current production releases. A newer version that is scheduled for a summer release has been found vulnerable and has been patches. When the customers upgrade the existing appliances to a newer version, they will not be impacted by this vulnerability.”
TCPWave has provided a security advisory at the URL below:
Notified: February 17, 2016 Updated: February 17, 2016
Unknown
We have not received a statement from the vendor.
Notified: February 17, 2016 Updated: February 17, 2016
Unknown
We have not received a statement from the vendor.
Notified: February 17, 2016 Updated: February 17, 2016
Unknown
We have not received a statement from the vendor.
Notified: February 17, 2016 Updated: February 17, 2016
Unknown
We have not received a statement from the vendor.
Notified: February 17, 2016 Updated: February 17, 2016
Unknown
We have not received a statement from the vendor.
Notified: February 17, 2016 Updated: February 17, 2016
Unknown
We have not received a statement from the vendor.
Notified: February 17, 2016 Updated: February 17, 2016
Unknown
We have not received a statement from the vendor.
Notified: February 17, 2016 Updated: February 17, 2016
Unknown
We have not received a statement from the vendor.
Notified: February 17, 2016 Updated: February 17, 2016
Unknown
We have not received a statement from the vendor.
Notified: February 17, 2016 Updated: February 17, 2016
Unknown
We have not received a statement from the vendor.
Notified: February 17, 2016 Updated: February 17, 2016
Unknown
We have not received a statement from the vendor.
Notified: February 17, 2016 Updated: February 17, 2016
Unknown
We have not received a statement from the vendor.
Notified: February 17, 2016 Updated: February 17, 2016
Unknown
We have not received a statement from the vendor.
Notified: February 17, 2016 Updated: February 17, 2016
Unknown
We have not received a statement from the vendor.
Notified: February 17, 2016 Updated: February 17, 2016
Unknown
We have not received a statement from the vendor.
Notified: February 17, 2016 Updated: February 17, 2016
Unknown
We have not received a statement from the vendor.
Notified: February 17, 2016 Updated: February 17, 2016
Unknown
We have not received a statement from the vendor.
Notified: February 17, 2016 Updated: February 17, 2016
Unknown
We have not received a statement from the vendor.
Notified: February 17, 2016 Updated: February 17, 2016
Unknown
We have not received a statement from the vendor.
Notified: February 17, 2016 Updated: February 17, 2016
Unknown
We have not received a statement from the vendor.
Notified: February 17, 2016 Updated: February 17, 2016
Unknown
We have not received a statement from the vendor.
Notified: February 17, 2016 Updated: February 17, 2016
Unknown
We have not received a statement from the vendor.
Notified: February 17, 2016 Updated: February 17, 2016
Unknown
We have not received a statement from the vendor.
Notified: February 17, 2016 Updated: February 17, 2016
Unknown
We have not received a statement from the vendor.
Notified: February 17, 2016 Updated: February 17, 2016
Unknown
We have not received a statement from the vendor.
Notified: February 17, 2016 Updated: February 29, 2016
Statement Date: February 29, 2016
Unknown
We have not received a statement from the vendor.
The following products are confirmed to be not affected:
* FortiOS
* FortiSwitch
* FortiAnalyzer
Other products are in the course of being investigated. Please see the URL below for more information and updates.
Notified: February 17, 2016 Updated: February 17, 2016
Unknown
We have not received a statement from the vendor.
Notified: February 17, 2016 Updated: February 17, 2016
Unknown
We have not received a statement from the vendor.
Notified: February 17, 2016 Updated: February 17, 2016
Unknown
We have not received a statement from the vendor.
Notified: February 17, 2016 Updated: February 17, 2016
Unknown
We have not received a statement from the vendor.
Notified: February 17, 2016 Updated: February 17, 2016
Unknown
We have not received a statement from the vendor.
Notified: February 17, 2016 Updated: February 17, 2016
Unknown
We have not received a statement from the vendor.
Notified: February 17, 2016 Updated: February 17, 2016
Unknown
We have not received a statement from the vendor.
Notified: February 17, 2016 Updated: February 17, 2016
Unknown
We have not received a statement from the vendor.
Notified: February 17, 2016 Updated: February 17, 2016
Unknown
We have not received a statement from the vendor.
Notified: February 17, 2016 Updated: February 17, 2016
Unknown
We have not received a statement from the vendor.
Notified: February 17, 2016 Updated: February 17, 2016
Unknown
We have not received a statement from the vendor.
Notified: February 17, 2016 Updated: February 17, 2016
Unknown
We have not received a statement from the vendor.
Notified: February 17, 2016 Updated: February 17, 2016
Unknown
We have not received a statement from the vendor.
Notified: February 17, 2016 Updated: February 17, 2016
Unknown
We have not received a statement from the vendor.
Notified: February 17, 2016 Updated: February 17, 2016
Unknown
We have not received a statement from the vendor.
Notified: February 17, 2016 Updated: February 22, 2016
Statement Date: February 19, 2016
Unknown
We have not received a statement from the vendor.
The vendor has provided the following list. A statement is available at the URL below.
The following products have been confirmed to be not vulnerable to the glibc issue reported as CVE-2015-7547:
* Junos OS does not use glibc and is not affected by this issue.
Note: Linux VM-based platforms (e.g. vSRX, vMX, etc.) include glibc, but do not make use of DNS client libraries during normal operation.
* Junos Space
* ScreenOS uses a different implementation of libc and is not affected by this issue.
* QFabric Director
* JUNOSe
* CTP and CTPView
* NSM server relies on underlying OS glibc library. Contact OS vendor
* SBR Carrier running on RHEL relies on the glibc library shipped with the OS. Customers should contact the OS vendor to upgrade glibc.
* SBR Carrier running on Solaris is not vulnerable as it does not use this library.
* WX/WXC
* Netscreen IDP
Other products are still under investigation.
Notified: February 17, 2016 Updated: February 17, 2016
Unknown
We have not received a statement from the vendor.
Notified: February 17, 2016 Updated: February 17, 2016
Unknown
We have not received a statement from the vendor.
Notified: February 17, 2016 Updated: February 17, 2016
Unknown
We have not received a statement from the vendor.
Notified: February 17, 2016 Updated: February 17, 2016
Unknown
We have not received a statement from the vendor.
Notified: February 17, 2016 Updated: February 17, 2016
Unknown
We have not received a statement from the vendor.
Notified: February 17, 2016 Updated: February 17, 2016
Unknown
We have not received a statement from the vendor.
Notified: February 17, 2016 Updated: February 17, 2016
Unknown
We have not received a statement from the vendor.
Notified: February 17, 2016 Updated: February 17, 2016
Unknown
We have not received a statement from the vendor.
Notified: February 17, 2016 Updated: February 17, 2016
Unknown
We have not received a statement from the vendor.
Notified: February 17, 2016 Updated: February 17, 2016
Unknown
We have not received a statement from the vendor.
Notified: February 17, 2016 Updated: February 17, 2016
Unknown
We have not received a statement from the vendor.
Notified: February 17, 2016 Updated: February 17, 2016
Unknown
We have not received a statement from the vendor.
Notified: February 17, 2016 Updated: February 17, 2016
Unknown
We have not received a statement from the vendor.
Notified: February 17, 2016 Updated: February 17, 2016
Unknown
We have not received a statement from the vendor.
Notified: February 17, 2016 Updated: February 17, 2016
Unknown
We have not received a statement from the vendor.
Notified: February 17, 2016 Updated: February 17, 2016
Unknown
We have not received a statement from the vendor.
Notified: February 17, 2016 Updated: February 17, 2016
Unknown
We have not received a statement from the vendor.
Notified: February 17, 2016 Updated: February 17, 2016
Unknown
We have not received a statement from the vendor.
Notified: February 17, 2016 Updated: February 17, 2016
Unknown
We have not received a statement from the vendor.
Notified: February 17, 2016 Updated: February 17, 2016
Unknown
We have not received a statement from the vendor.
Notified: February 17, 2016 Updated: February 17, 2016
Unknown
We have not received a statement from the vendor.
Notified: February 17, 2016 Updated: February 17, 2016
Unknown
We have not received a statement from the vendor.
Notified: February 17, 2016 Updated: February 17, 2016
Unknown
We have not received a statement from the vendor.
Notified: February 17, 2016 Updated: February 17, 2016
Unknown
We have not received a statement from the vendor.
Notified: February 17, 2016 Updated: February 17, 2016
Unknown
We have not received a statement from the vendor.
Notified: February 17, 2016 Updated: February 17, 2016
Unknown
We have not received a statement from the vendor.
Notified: February 17, 2016 Updated: February 17, 2016
Unknown
We have not received a statement from the vendor.
Notified: February 17, 2016 Updated: February 17, 2016
Unknown
We have not received a statement from the vendor.
Notified: February 17, 2016 Updated: February 17, 2016
Unknown
We have not received a statement from the vendor.
Notified: February 17, 2016 Updated: February 17, 2016
Unknown
We have not received a statement from the vendor.
Notified: February 17, 2016 Updated: February 17, 2016
Unknown
We have not received a statement from the vendor.
Notified: February 17, 2016 Updated: February 17, 2016
Unknown
We have not received a statement from the vendor.
Notified: February 17, 2016 Updated: February 17, 2016
Unknown
We have not received a statement from the vendor.
Notified: February 17, 2016 Updated: February 17, 2016
Unknown
We have not received a statement from the vendor.
Notified: February 17, 2016 Updated: February 17, 2016
Unknown
We have not received a statement from the vendor.
Notified: February 17, 2016 Updated: February 17, 2016
Unknown
We have not received a statement from the vendor.
View all 92 vendors __View less vendors __
Group | Score | Vector |
---|---|---|
Base | 10 | AV:N/AC:L/Au:N/C:C/I:C/A:C |
Temporal | 8.1 | E:POC/RL:TF/RC:C |
Environmental | 8.1 | CDP:ND/TD:H/CR:ND/IR:ND/AR:ND |
This vulnerability was disclosed by Fermin J. Serna and Kevin Stadmeyer of Google and Florian Weimer and Carlos O𠆝onell of Red Hat. Google thanks: “Neel Mehta, Thomas Garnier, Gynvael Coldwind, Michael Schaller, Tom Payne, Michael Haro, Damian Menscher, Matt Brown, Yunhong Gu, Florian Weimer, Carlos O𠆝onell and the rest of the glibc team for their help figuring out all details about this bug, exploitation, and patch development.”
This document was written by Garret Wassermann.
CVE IDs: | CVE-2015-7547 |
---|---|
Date Public: | 2016-02-16 Date First Published: |
8.1 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
6.8 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:P/I:P/A:P
0.974 High
EPSS
Percentile
99.9%