Security Bulletin: IBM Software Delivery and Lifecycle Patterns for the glibc vulnerabilities (CVE-2015-7547)

Summary

IBM Software Delivery and Lifecycle Patterns requires client action for the glibc vulnerabilities.
The GNU C Library (glibc) is vulnerable to a heap-based buffer overflow, a local attacker could exploit this vulnerability to overflow a buffer and execute arbitrary code on the system with root privileges.
GNU C Library (glibc) is vulnerable to a stack-based buffer overflow. By sending a specially crafted DNS response, a remote attacker could overflow a buffer and execute arbitrary code on the system or cause the application to crash.

Vulnerability Details

CVEID: CVE-2015-7547**
DESCRIPTION:** GNU C Library (glibc) is vulnerable to a stack-based buffer overflow, caused by improper bounds checking by the nss_dns backend for the getaddrinfo() function when performing dual A/AAAA DNS queries. By sending a specially crafted DNS response, a remote attacker could overflow a buffer and execute arbitrary code on the system or cause the application to crash.
CVSS Base Score: 8.1
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/110662 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H)

Affected Products and Versions

IBM Software Delivery and Lifecycle Patterns 1.0 and 1.0.1

Remediation/Fixes

IBM strongly recommends you should contact Red Hat to obtain and install fixes for Red Hat Enterprise Linux 6.4.

Alternatively, if you have access to a Yum update repository, you may update the glibc library by using the command: yum update glibc

After the update is applied you need to reboot the system or restart all affected services.