Fuel for OpenStack

CVE-2015-7547: Critical Vulnerability in glibc getaddrinfo

Series 7.0.x
Bug #1547229

Bug #1547229 reported by Oleksandr Liemieshko on 2016-02-18

306

This bug affects 2 people

	Status	Importance	Assigned to	Milestone
Fuel for OpenStack
6.0.x	Fix Released	High	Denis Meltsaykin	Fuel for OpenStack 6.0-updates
6.1.x	Fix Released	High	Denis Meltsaykin	Fuel for OpenStack 6.1-updates
7.0.x	Fix Released	High	Denis Meltsaykin	Fuel for OpenStack 7.0-updates
Mirantis OpenStack	Fix Released	High	MOS Maintenance	Mirantis OpenStack 8.0-mu-1
8.0.x	Fix Released	High	MOS Maintenance	Mirantis OpenStack 8.0-mu-1
9.x	Invalid	High	MOS Linux	Mirantis OpenStack 9.0

Bug Description

All versions of glibc after 2.9 are vulnerable

https://isc.sans.edu/forums/diary/CVE20157547+Critical+Vulnerability+in+glibc+getaddrinfo/20737/

for examples in MOS 6.0 we have:

[root@nailgun ~]# yum list |grep glibc
glibc.x86_64 2.12-1.132.el6_5.2 @anaconda-CentOS-201410241409.x86_64/6.3
glibc-common.x86_64 2.12-1.132.el6_5.2 @anaconda-CentOS-201410241409.x86_64/6.3
glibc-devel.x86_64 2.12-1.132.el6_5.2 nailgun
glibc-headers.x86_64 2.12-1.132.el6_5.2 nailgun

from one of the nodes:
Warning: Permanently added 'node-1' (RSA) to the list of known hosts.
ii libc-bin 2.15-0ubuntu10.7 Embedded GNU C Library: Binaries
ii libc-dev-bin 2.15-0ubuntu10.7 Embedded GNU C Library: Development binaries
ii libc6 2.15-0ubuntu10.7 Embedded GNU C Library: Shared libraries
ii libc6-dev 2.15-0ubuntu10.7 Embedded GNU C Library: Development Libraries and Header Files(edited)

Tags:

CVE References

2015-7547

Oleksandr Liemieshko (oliemieshko) on 2016-02-18

tags:	added: customer-found support
Changed in fuel:
importance:	Undecided → Critical

Oleksandr Liemieshko (oliemieshko) on 2016-02-18

Changed in fuel:
assignee:	nobody → MOS Maintenance (mos-maintenance)

Adam Heczko (aheczko-mirantis) on 2016-02-19

information type:

Public → Public Security

Krzysztof Szukiełojć (kszukielojc) on 2016-02-19

Changed in fuel:
status:	New → Confirmed
tags:	added: area-mos

Adam Heczko (aheczko-mirantis) on 2016-02-19

Changed in fuel:
importance:	Critical → High

Revision history for this message

Adam Heczko (aheczko-mirantis) wrote on 2016-02-19:

According to CVSS this is of score 8.3.
https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H
Changing importance to 'High'

information type:

Public Security → Private Security

Miroslav Anashkin (manashkin) on 2016-02-19

affects:

fuel → mos

Revision history for this message

Adam Heczko (aheczko-mirantis) wrote on 2016-02-22:

Just to clarify:
IMO we are supposed to provide updates for all MOS versions which can't consume updates from upstream.
It affects Fuel (CentOS) as well as slaves: CentOS / Ubuntu.

Revision history for this message

Thomas Goirand (thomas-goirand) wrote on 2016-02-22:

At this point in time, with exploits in the wild [1], there's no reason to keep this bug as "Private security". Please open the bug, and act transparently, we don't want/need to uselessly keep this one undisclosed, I'd see it as being dishonest to our users.

[1] https://github.com/fjserna/CVE-2015-7547

Revision history for this message

Artem Silenkov (asilenkov) wrote on 2016-02-22:

1. Centos6.3 already contains fixed package
glibc-2.12-1.166.el6_7.7.rpm

Patches related:
glibc-rh1296031-0.patch
glibc-rh1296031.patch

Fixes applied were:
http://paste.openstack.org/show/487786/

This list is quite long, upgrade to upstream version is risky without deep testing.

2. Two CVE related patches could be applied with manual offset tuning. It could be applied smoothly, only offset is different but not the code. However, this operation is risky without deep testing.

We should decide what to do next.

All upstreams mentioned have this fix applied in upstream in updates repo. Backporting is possible for sure but with no guarantees.

Revision history for this message

Artem Silenkov (asilenkov) wrote on 2016-02-22:

I'd better stick with backporting the whole package but not two patches.

I don't have 6.0, only 6.1.
6.1 is working for me with backported 2.12-1.166 glibc from upstream.

Not sure if simply adding update repo is safe enough.

Revision history for this message

Dmitry Teselkin (teselkin-d) wrote on 2016-02-22:

CentOS-6.7 contains updated package, not 6.3.

We should try to use upstream version first, and not rebuild the package until we found that there is no other way.

Adding upstream update repo is not possible without extra configuration. However, it might work if made correctly.

Revision history for this message

Denis Meltsaykin (dmeltsaykin) wrote on 2016-03-04:

This bug will be covered by a security bulletin which is expected to be released in the near future.

Revision history for this message

Vitaly Sedelnik (vsedelnik) wrote on 2016-03-08:

Nominated to 8.0.x and 9.0.x series, targeted to 8.0-mu-1 and 9.0. Looks like we have to update tech bulletin with information for 8.0 and make sure the updated glibc gets landed into 9.0

Revision history for this message

Dmitry Teselkin (teselkin-d) wrote on 2016-03-10:

9.0+ is based on CentOS-7.2 where this issue was fixed.

Revision history for this message

Dmitry Teselkin (teselkin-d) wrote on 2016-03-10:

#10

Packages for 8.0 http://172.18.10.67/RHSA-2016_0175-1-c7x64.tar.gz

Revision history for this message

Denis Meltsaykin (dmeltsaykin) wrote on 2016-03-21:

#11

The security bulletin has been released: https://content.mirantis.com/rs/451-RBY-185/images/Mirantis-Technical-Bulletin-glibc-security.pdf
Closing as Fix released.

Vitaly Sedelnik (vsedelnik) on 2016-05-11

information type:

Private Security → Public Security

Report a bug

This report contains Public Security information

Everyone can see this security related information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.