Vulnerability Note VU#457759
glibc vulnerable to stack buffer overflow in DNS resolver
GNU glibc contains a buffer overflow vulnerability in the DNS resolver, which may allow a remote attacker to execute arbitrary code.
CWE-121: Stack-based Buffer Overflow - CVE-2015-7547
According to a Google security blog post:
The getaddrinfo() function allows a buffer overflow condition in which arbitrary code may be executed. The impact may vary depending on if the use case is local or remote.
Apply an update
Vendor Information (Learn More)
Some embedded operating systems or older, no longer supported versions of linux distributions may contain an older version of glibc that is vulnerable. Please check with your vendor to find out if you need to upgrade to a newer operating system in order to address this issue.
|Vendor||Status||Date Notified||Date Updated|
|Android Open Source Project||Affected||17 Feb 2016||23 Feb 2016|
|Arista Networks, Inc.||Affected||17 Feb 2016||17 Feb 2016|
|Blue Coat Systems||Affected||17 Feb 2016||26 Feb 2016|
|CentOS||Affected||17 Feb 2016||14 Mar 2016|
|Cisco||Affected||17 Feb 2016||18 Feb 2016|
|Debian GNU/Linux||Affected||17 Feb 2016||17 Feb 2016|
|Gentoo Linux||Affected||17 Feb 2016||17 Feb 2016|
|GNU glibc||Affected||17 Feb 2016||17 Feb 2016|
|Red Hat, Inc.||Affected||17 Feb 2016||17 Feb 2016|
|Ubuntu||Affected||17 Feb 2016||17 Feb 2016|
|EfficientIP||Not Affected||-||18 Feb 2016|
|Openwall GNU/*/Linux||Not Affected||17 Feb 2016||22 Feb 2016|
|PC-BSD||Not Affected||17 Feb 2016||17 Feb 2016|
|TCPWave||Not Affected||-||18 Feb 2016|
|ACCESS||Unknown||17 Feb 2016||17 Feb 2016|
CVSS Metrics (Learn More)
This vulnerability was disclosed by Fermin J. Serna and Kevin Stadmeyer of Google and Florian Weimer and Carlos O’Donell of Red Hat. Goog le thanks: " Neel Mehta, Thomas Garnier, Gynvael Coldwind, Michael Schaller, Tom Payne, Michael Haro, Damian Menscher, Matt Brown, Yunhong Gu, Florian Weimer, Carlos O’Donell and the rest of the glibc team for their help figuring out all details about this bug, exploitation, and patch development. "
This document was written by Garret Wassermann.
- CVE IDs: CVE-2015-7547
- Date Public: 16 Feb 2016
- Date First Published: 17 Feb 2016
- Date Last Updated: 14 Mar 2016
- Document Revision: 51
If you have feedback, comments, or additional information about this vulnerability, please send us email.