Amazon Linux 2 : glibc (ALAS-2018-1048)

critical Nessus Plugin ID 111335

Synopsis

The remote Amazon Linux 2 host is missing a security update.

Description

stdlib/canonicalize.c in the GNU C Library (aka glibc or libc6) 2.27 and earlier, when processing very long pathname arguments to the realpath function, could encounter an integer overflow on 32-bit architectures, leading to a stack-based buffer overflow and, potentially, arbitrary code execution.(CVE-2018-11236)

The GNU C Library (aka glibc or libc6) before 2.27 contains an off-by-one error leading to a heap-based buffer overflow in the glob function in glob.c, related to the processing of home directories using the ~ operator followed by a long string. (CVE-2017-15670)

The glob function in glob.c in the GNU C Library (aka glibc or libc6) before 2.27 contains a buffer overflow during unescaping of user names with the ~ operator.(CVE-2017-15804)

An SSE2-optimized memmove implementation for i386 in sysdeps/i386/i686/multiarch/memcpy-sse2-unaligned.S in the GNU C Library (aka glibc or libc6) 2.21 through 2.27 does not correctly perform the overlapping memory check if the source memory range spans the middle of the address space, resulting in corrupt data being produced by the copy operation. This may disclose information to context-dependent attackers, or result in a denial of service, or, possibly, code execution.(CVE-2017-18269)

Solution

Run 'yum update glibc' to update your system.

See Also

https://alas.aws.amazon.com/AL2/ALAS-2018-1048.html

Plugin Details

Severity: Critical

ID: 111335

File Name: al2_ALAS-2018-1048.nasl

Version: 1.2

Type: local

Agent: unix

Published: 7/26/2018

Updated: 9/3/2024

Supported Sensors: Agentless Assessment, Continuous Assessment, Frictionless Assessment Agent, Frictionless Assessment AWS, Nessus Agent, Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 5.9

CVSS v2

Risk Factor: High

Base Score: 7.5

Temporal Score: 5.5

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

CVSS Score Source: CVE-2018-11236

CVSS v3

Risk Factor: Critical

Base Score: 9.8

Temporal Score: 8.5

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

CPE: p-cpe:/a:amazon:linux:glibc-langpack-es, p-cpe:/a:amazon:linux:glibc-static, p-cpe:/a:amazon:linux:glibc-langpack-ia, p-cpe:/a:amazon:linux:glibc-langpack-tr, p-cpe:/a:amazon:linux:glibc-langpack-nb, p-cpe:/a:amazon:linux:glibc-langpack-af, p-cpe:/a:amazon:linux:glibc-langpack-ht, p-cpe:/a:amazon:linux:glibc-langpack-ts, p-cpe:/a:amazon:linux:glibc-langpack-wal, p-cpe:/a:amazon:linux:nss_nis, p-cpe:/a:amazon:linux:glibc-langpack-ak, p-cpe:/a:amazon:linux:glibc-langpack-nan, p-cpe:/a:amazon:linux:glibc-langpack-os, p-cpe:/a:amazon:linux:glibc-langpack-so, p-cpe:/a:amazon:linux:nscd, p-cpe:/a:amazon:linux:glibc-langpack-chr, p-cpe:/a:amazon:linux:glibc-langpack-kn, p-cpe:/a:amazon:linux:glibc-langpack-shs, p-cpe:/a:amazon:linux:glibc-langpack-ce, p-cpe:/a:amazon:linux:libcrypt-nss, p-cpe:/a:amazon:linux:glibc-langpack-id, p-cpe:/a:amazon:linux:glibc-langpack-li, p-cpe:/a:amazon:linux:glibc-langpack-unm, cpe:/o:amazon:linux:2, p-cpe:/a:amazon:linux:glibc-langpack-gd, p-cpe:/a:amazon:linux:glibc-langpack-hu, p-cpe:/a:amazon:linux:glibc-langpack-sat, p-cpe:/a:amazon:linux:glibc-langpack-sq, p-cpe:/a:amazon:linux:glibc-langpack-yi, p-cpe:/a:amazon:linux:glibc-langpack-the, p-cpe:/a:amazon:linux:glibc-langpack-da, p-cpe:/a:amazon:linux:glibc-langpack-tk, p-cpe:/a:amazon:linux:glibc-langpack-hr, p-cpe:/a:amazon:linux:glibc-langpack-mni, p-cpe:/a:amazon:linux:glibc-langpack-si, p-cpe:/a:amazon:linux:glibc-langpack-xh, p-cpe:/a:amazon:linux:glibc-langpack-raj, p-cpe:/a:amazon:linux:glibc-langpack-ast, p-cpe:/a:amazon:linux:glibc-langpack-hne, p-cpe:/a:amazon:linux:glibc-langpack-ayc, p-cpe:/a:amazon:linux:glibc-langpack-sid, p-cpe:/a:amazon:linux:glibc-langpack-csb, p-cpe:/a:amazon:linux:glibc-langpack-nr, p-cpe:/a:amazon:linux:glibc-langpack-nhn, p-cpe:/a:amazon:linux:glibc-langpack-yue, p-cpe:/a:amazon:linux:glibc-langpack-my, p-cpe:/a:amazon:linux:glibc-langpack-fur, p-cpe:/a:amazon:linux:glibc-langpack-sv, p-cpe:/a:amazon:linux:glibc-langpack-fr, p-cpe:/a:amazon:linux:glibc-langpack-nso, p-cpe:/a:amazon:linux:glibc-langpack-vi, p-cpe:/a:amazon:linux:glibc-langpack-lt, p-cpe:/a:amazon:linux:glibc-langpack-ja, p-cpe:/a:amazon:linux:glibc-langpack-sa, p-cpe:/a:amazon:linux:glibc-langpack-pl, p-cpe:/a:amazon:linux:glibc-langpack-lb, p-cpe:/a:amazon:linux:glibc-langpack-mn, p-cpe:/a:amazon:linux:glibc-langpack-sgs, p-cpe:/a:amazon:linux:glibc-langpack-et, p-cpe:/a:amazon:linux:glibc-langpack-wo, p-cpe:/a:amazon:linux:glibc-langpack-zh, p-cpe:/a:amazon:linux:nss_hesiod, p-cpe:/a:amazon:linux:glibc-langpack-ik, p-cpe:/a:amazon:linux:glibc-langpack-hy, p-cpe:/a:amazon:linux:glibc-langpack-cmn, p-cpe:/a:amazon:linux:glibc-langpack-tt, p-cpe:/a:amazon:linux:glibc-all-langpacks, p-cpe:/a:amazon:linux:glibc-langpack-ks, p-cpe:/a:amazon:linux:glibc-langpack-bem, p-cpe:/a:amazon:linux:glibc-langpack-bho, p-cpe:/a:amazon:linux:glibc-langpack-an, p-cpe:/a:amazon:linux:glibc-benchtests, p-cpe:/a:amazon:linux:glibc-langpack-ku, p-cpe:/a:amazon:linux:glibc-langpack-fo, p-cpe:/a:amazon:linux:glibc-langpack-ml, p-cpe:/a:amazon:linux:glibc-langpack-be, p-cpe:/a:amazon:linux:glibc-langpack-ar, p-cpe:/a:amazon:linux:glibc-langpack-bhb, p-cpe:/a:amazon:linux:glibc-langpack-ln, p-cpe:/a:amazon:linux:glibc-langpack-bn, p-cpe:/a:amazon:linux:glibc-langpack-ta, p-cpe:/a:amazon:linux:glibc-langpack-ru, p-cpe:/a:amazon:linux:nss_db, p-cpe:/a:amazon:linux:glibc-langpack-or, p-cpe:/a:amazon:linux:glibc-langpack-tn, p-cpe:/a:amazon:linux:glibc-nss-devel, p-cpe:/a:amazon:linux:glibc-langpack-dv, p-cpe:/a:amazon:linux:glibc-langpack-sl, p-cpe:/a:amazon:linux:glibc-langpack-ps, p-cpe:/a:amazon:linux:glibc-langpack-hi, p-cpe:/a:amazon:linux:glibc-langpack-az, p-cpe:/a:amazon:linux:glibc-langpack-eu, p-cpe:/a:amazon:linux:glibc-langpack-km, p-cpe:/a:amazon:linux:glibc-langpack-mk, p-cpe:/a:amazon:linux:glibc-langpack-th, p-cpe:/a:amazon:linux:glibc-locale-source, p-cpe:/a:amazon:linux:glibc-langpack-sk, p-cpe:/a:amazon:linux:glibc-langpack-doi, p-cpe:/a:amazon:linux:glibc-langpack-tig, p-cpe:/a:amazon:linux:glibc-langpack-cv, p-cpe:/a:amazon:linux:glibc-headers, p-cpe:/a:amazon:linux:glibc-langpack-ky, p-cpe:/a:amazon:linux:glibc-langpack-mt, p-cpe:/a:amazon:linux:glibc-langpack-zu, p-cpe:/a:amazon:linux:glibc-langpack-mag, p-cpe:/a:amazon:linux:glibc-langpack-kl, p-cpe:/a:amazon:linux:glibc-langpack-ko, p-cpe:/a:amazon:linux:glibc-langpack-he, p-cpe:/a:amazon:linux:glibc-langpack-ne, p-cpe:/a:amazon:linux:glibc-langpack-fy, p-cpe:/a:amazon:linux:glibc-langpack-wae, p-cpe:/a:amazon:linux:glibc-langpack-fa, p-cpe:/a:amazon:linux:glibc-langpack-br, p-cpe:/a:amazon:linux:glibc-common, p-cpe:/a:amazon:linux:glibc, p-cpe:/a:amazon:linux:glibc-langpack-en, p-cpe:/a:amazon:linux:glibc-langpack-kk, p-cpe:/a:amazon:linux:glibc-langpack-nn, p-cpe:/a:amazon:linux:glibc-langpack-om, p-cpe:/a:amazon:linux:glibc-langpack-sd, p-cpe:/a:amazon:linux:glibc-utils, p-cpe:/a:amazon:linux:glibc-debuginfo, p-cpe:/a:amazon:linux:glibc-langpack-ga, p-cpe:/a:amazon:linux:glibc-langpack-bo, p-cpe:/a:amazon:linux:glibc-langpack-byn, p-cpe:/a:amazon:linux:glibc-langpack-uk, p-cpe:/a:amazon:linux:glibc-langpack-gu, p-cpe:/a:amazon:linux:glibc-langpack-st, p-cpe:/a:amazon:linux:glibc-langpack-sw, p-cpe:/a:amazon:linux:glibc-langpack-fi, p-cpe:/a:amazon:linux:glibc-langpack-aa, p-cpe:/a:amazon:linux:glibc-langpack-brx, p-cpe:/a:amazon:linux:glibc-langpack-oc, p-cpe:/a:amazon:linux:glibc-langpack-fil, p-cpe:/a:amazon:linux:glibc-langpack-gv, p-cpe:/a:amazon:linux:glibc-langpack-iu, p-cpe:/a:amazon:linux:glibc-langpack-crh, p-cpe:/a:amazon:linux:glibc-langpack-rw, p-cpe:/a:amazon:linux:glibc-langpack-tl, p-cpe:/a:amazon:linux:glibc-langpack-ca, p-cpe:/a:amazon:linux:glibc-langpack-gez, p-cpe:/a:amazon:linux:glibc-langpack-nl, p-cpe:/a:amazon:linux:glibc-langpack-ro, p-cpe:/a:amazon:linux:glibc-langpack-am, p-cpe:/a:amazon:linux:glibc-langpack-lo, p-cpe:/a:amazon:linux:glibc-debuginfo-common, p-cpe:/a:amazon:linux:glibc-langpack-cy, p-cpe:/a:amazon:linux:glibc-langpack-de, p-cpe:/a:amazon:linux:glibc-langpack-pt, p-cpe:/a:amazon:linux:glibc-langpack-ka, p-cpe:/a:amazon:linux:glibc-langpack-pap, p-cpe:/a:amazon:linux:glibc-langpack-cs, p-cpe:/a:amazon:linux:glibc-langpack-eo, p-cpe:/a:amazon:linux:glibc-langpack-ig, p-cpe:/a:amazon:linux:glibc-langpack-gl, p-cpe:/a:amazon:linux:glibc-langpack-mr, p-cpe:/a:amazon:linux:glibc-langpack-quz, p-cpe:/a:amazon:linux:glibc-langpack-uz, p-cpe:/a:amazon:linux:glibc-langpack-is, p-cpe:/a:amazon:linux:glibc-langpack-yo, p-cpe:/a:amazon:linux:glibc-langpack-kok, p-cpe:/a:amazon:linux:glibc-langpack-ff, p-cpe:/a:amazon:linux:glibc-langpack-anp, p-cpe:/a:amazon:linux:glibc-langpack-ss, p-cpe:/a:amazon:linux:glibc-langpack-bs, p-cpe:/a:amazon:linux:glibc-langpack-ti, p-cpe:/a:amazon:linux:glibc-langpack-wa, p-cpe:/a:amazon:linux:glibc-langpack-tg, p-cpe:/a:amazon:linux:glibc-langpack-bg, p-cpe:/a:amazon:linux:glibc-langpack-hak, p-cpe:/a:amazon:linux:glibc-langpack-se, p-cpe:/a:amazon:linux:glibc-langpack-sr, p-cpe:/a:amazon:linux:glibc-langpack-ms, p-cpe:/a:amazon:linux:glibc-langpack-mhr, p-cpe:/a:amazon:linux:glibc-langpack-kw, p-cpe:/a:amazon:linux:glibc-langpack-dz, p-cpe:/a:amazon:linux:glibc-langpack-lij, p-cpe:/a:amazon:linux:glibc-langpack-mi, p-cpe:/a:amazon:linux:glibc-langpack-lzh, p-cpe:/a:amazon:linux:glibc-langpack-mai, p-cpe:/a:amazon:linux:glibc-langpack-ug, p-cpe:/a:amazon:linux:glibc-langpack-lg, p-cpe:/a:amazon:linux:glibc-devel, p-cpe:/a:amazon:linux:glibc-langpack-ha, p-cpe:/a:amazon:linux:glibc-langpack-nds, p-cpe:/a:amazon:linux:glibc-langpack-ur, p-cpe:/a:amazon:linux:glibc-langpack-hsb, p-cpe:/a:amazon:linux:glibc-langpack-as, p-cpe:/a:amazon:linux:glibc-langpack-te, p-cpe:/a:amazon:linux:libcrypt, p-cpe:/a:amazon:linux:glibc-langpack-ve, p-cpe:/a:amazon:linux:glibc-langpack-pa, p-cpe:/a:amazon:linux:glibc-minimal-langpack, p-cpe:/a:amazon:linux:glibc-langpack-tcy, p-cpe:/a:amazon:linux:glibc-langpack-lv, p-cpe:/a:amazon:linux:glibc-langpack-mg, p-cpe:/a:amazon:linux:glibc-langpack-it, p-cpe:/a:amazon:linux:glibc-langpack-niu, p-cpe:/a:amazon:linux:glibc-langpack-el, p-cpe:/a:amazon:linux:glibc-langpack-sc, p-cpe:/a:amazon:linux:glibc-langpack-szl, p-cpe:/a:amazon:linux:glibc-langpack-ber

Required KB Items: Host/local_checks_enabled, Host/AmazonLinux/release, Host/AmazonLinux/rpm-list

Exploit Ease: No known exploits are available

Patch Publication Date: 7/24/2018

Reference Information

CVE: CVE-2017-15670, CVE-2017-15804, CVE-2017-18269, CVE-2018-11236

ALAS: 2018-1048