Summary
Epicor has been made aware of a critical vulnerability in the glibc library, which has been assigned CVE-2015-0235 and is commonly referred to as ‘GHOST’. All versions of glibc shipped with all variants of Red Hat Enterprise Linux are affected.
GHOST is a ‘buffer overflow’ bug affecting the gethostbyname() and gethostbyname2() function calls in the glibc library. This vulnerability allows a remote attacker that is able to make an application call to either of these functions to execute arbitrary code with the permissions of the user running the application.
The gethostbyname() function calls are used for DNS resolving, which is a very common event. To exploit this vulnerability, an attacker must trigger a buffer overflow by supplying an invalid hostname argument to an application that performs a DNS resolution.
Checking Vulnerability
The easiest way to check for the vulnerability is to run the the Red Hat Access Lab’s “glibc (GHOST) Detector” script:
curl -s http://kb.eclipseinc.com/repo/GHOST-test.sh | bash
If the server is vulnerable, you will see output similar to:
Installed glibc version(s) - glibc-2.5-42.i686: vulnerable - glibc-2.5-42.x86_64: vulnerable This system is vulnerable to CVE-2015-0235. <https://access.redhat.com/security/cve/CVE-2015-0235> Please refer to <https://access.redhat.com/articles/1332213> for remediation steps
If the server is not vulnerable, you will see output similar to:
Installed glibc version(s) - glibc-2.5-123.el5_11.1.x86_64: not vulnerable - glibc-2.5-123.el5_11.1.i686: not vulnerable
Resolution
Update RHEL to patch the affected libraries:
yum -y update glibc nscd
Double-check that the patches have been applied by running the detection script again:
curl -s http://kb.eclipseinc.com/repo/GHOST-test.sh | bash
Reboot the server to finish applying the patches:
reboot
Troubleshooting
If you receive an error when attempting to run yum, it could be because your Red Hat subscription has expired. In this case, we’ve setup a package repository for you, which you can use by running the following commands:
curl -s -o /etc/yum.repos.d/eclipse.repo http://kb.eclipseinc.com/repo/eclipse.repo yum -y update glibc nscd
If you receive an error similar to “Public key for glibc-headers-2.5-123.el5_11.1.x86_64.rpm is not installed”, then it means your Red Hat software is very much out of date, and you’ll need to first update some other packages:
curl -s -o /usr/share/rhn/RHNS-CA-CERT http://kb.eclipseinc.com/repo/RHNS-CA-CERT curl -s -o /etc/yum.repos.d/eclipse.repo http://kb.eclipseinc.com/repo/eclipse.repo yum --nogpgcheck -y update rhn* rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release yum -y update glibc nscd
Frequently Asked Questions
Q: I installed the patch, and now the script says my server is “not vulnerable”. Do I still need to reboot my server?
A: Yes.