search menu icon-carat-right cmu-wordmark

CERT Coordination Center

glibc vulnerable to stack buffer overflow in DNS resolver

Vulnerability Note VU#457759

Original Release Date: 2016-02-17 | Last Revised: 2016-03-14

Overview

GNU glibc contains a buffer overflow vulnerability in the DNS resolver, which may allow a remote attacker to execute arbitrary code.

Description

CWE-121: Stack-based Buffer Overflow - CVE-2015-7547

According to a Google security blog post:

"The glibc DNS client side resolver is vulnerable to a stack-based buffer overflow when the getaddrinfo() library function is used. Software using this function may be exploited with attacker-controlled domain names, attacker-controlled DNS servers, or through a man-in-the-middle attack."

According to glibc developers, the vulnerable code was initially added in May 2008 as part of the development for glibc 2.9. All versions from 2.9 (originally released November 2008) to 2.22 appear to be affected.

More details and analysis are available in the patch announcement from glibc developers.

Impact

The getaddrinfo() function allows a buffer overflow condition in which arbitrary code may be executed. The impact may vary depending on if the use case is local or remote.

Solution

Apply an update

A patch for glibc is available. Affected users should apply the patch as soon as possible. The patch will also be included as part of the upcoming glibc 2.23 release.

The Vendor Status information below provides more information on updates.

Vendor Information

Some embedded operating systems or older, no longer supported versions of linux distributions may contain an older version of glibc that is vulnerable. Please check with your vendor to find out if you need to upgrade to a newer operating system in order to address this issue.

457759
 
Affected   Unknown   Unaffected

Android Open Source Project

Notified:  February 17, 2016 Updated:  February 23, 2016

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Arista Networks, Inc.

Notified:  February 17, 2016 Updated:  February 17, 2016

Statement Date:   February 17, 2016

Status

  Affected

Vendor Statement

"Arista Networks is investigating the applicability of VU#457759 to our products. More information will be available as the investigation proceeds."

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

Blue Coat Systems

Notified:  February 17, 2016 Updated:  February 26, 2016

Statement Date:   February 26, 2016

Status

  Affected

Vendor Statement

"Blue Coat products using an affected version of the GNU C Library (glibc) are susceptible to a remote execution attack. A remote attacker can send a crafted DNS response to the glibc DNS resolver and cause the resolver to crash or execute arbitrary code."

Vendor Information

Fixes for the vulnerable products are pending. Please see the advisory below.

Vendor References

CentOS

Notified:  February 17, 2016 Updated:  March 14, 2016

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

A patched version of glibc is available for CentOS. The forum discussion at the URL below provides further information.

Vendor References

Cisco

Notified:  February 17, 2016 Updated:  February 18, 2016

Statement Date:   February 18, 2016

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

Cisco has provided a security advisory which contains details of which products are affected at the URL below:

Vendor References

Debian GNU/Linux

Notified:  February 17, 2016 Updated:  February 17, 2016

Statement Date:   February 17, 2016

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

Debian has released glibc updates containing the patches. Please see the announcements below:

Vendor References

GNU glibc

Notified:  February 17, 2016 Updated:  February 17, 2016

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

A detailed analysis and patch for glibc are available at the URL below.

Vendor References

Gentoo Linux

Notified:  February 17, 2016 Updated:  February 17, 2016

Statement Date:   February 17, 2016

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

glibc has been updated with the patch on Gentoo. Please see the Gentoo security advisory at the URL below.

Addendum

https://security.gentoo.org/glsa/201602-02

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Red Hat, Inc.

Notified:  February 17, 2016 Updated:  February 17, 2016

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

glibc has been updated with the patch. Please see the Red Hat security advisory at the URL below.

Vendor References

Ubuntu

Notified:  February 17, 2016 Updated:  February 17, 2016

Statement Date:   February 17, 2016

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

Ubuntu has released a patched version of glibc. Please see the security advisory at the URL below:

Vendor References

EfficientIP

Updated:  February 18, 2016

Statement Date:   February 18, 2016

Status

  Not Affected

Vendor Statement

"No version of our software is affected by VU#457759 (glibc vulnerable to stack buffer overflow in DNS resolver)"

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Openwall GNU/*/Linux

Notified:  February 17, 2016 Updated:  February 22, 2016

Statement Date:   February 20, 2016

Status

  Not Affected

Vendor Statement

"Openwall GNU/*/Linux is not affected. We use a fork of a version of glibc predating the introduction of this vulnerability.

We have previously patched the somewhat related GHOST vulnerability."

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

PC-BSD

Notified:  February 17, 2016 Updated:  February 17, 2016

Statement Date:   February 17, 2016

Status

  Not Affected

Vendor Statement

PC-BSD is based upon FreeBSD, and as such does *not* use glibc by default for any native *BSD applications. As such, it is not vulnerable to CVE-2015-7547.

PC-BSD does allow running Linux applications through emulation, in which case users should ensure their packages / VM's are updated in accordance with upstream methods.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

TCPWave

Updated:  February 18, 2016

Statement Date:   February 18, 2016

Status

  Not Affected

Vendor Statement

"The TCPWave DNS Appliances and TCPWave Sharkcage Appliances do not use a vulnerable version of glibc in the current production releases. A newer version that is scheduled for a summer release has been found vulnerable and has been patches. When the customers upgrade the existing appliances to a newer version, they will not be impacted by this vulnerability."

Vendor Information

TCPWave has provided a security advisory at the URL below:

Vendor References

ACCESS

Notified:  February 17, 2016 Updated:  February 17, 2016

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor References

    AT&T

    Notified:  February 17, 2016 Updated:  February 17, 2016

    Status

      Unknown

    Vendor Statement

    No statement is currently available from the vendor regarding this vulnerability.

    Vendor References

      Alcatel-Lucent

      Notified:  February 17, 2016 Updated:  February 17, 2016

      Status

        Unknown

      Vendor Statement

      No statement is currently available from the vendor regarding this vulnerability.

      Vendor References

        Apple

        Notified:  February 17, 2016 Updated:  February 17, 2016

        Status

          Unknown

        Vendor Statement

        No statement is currently available from the vendor regarding this vulnerability.

        Vendor References

          Arch Linux

          Notified:  February 17, 2016 Updated:  February 17, 2016

          Status

            Unknown

          Vendor Statement

          No statement is currently available from the vendor regarding this vulnerability.

          Vendor References

            Aruba Networks

            Notified:  February 17, 2016 Updated:  February 17, 2016

            Status

              Unknown

            Vendor Statement

            No statement is currently available from the vendor regarding this vulnerability.

            Vendor References

              Avaya, Inc.

              Notified:  February 17, 2016 Updated:  February 17, 2016

              Status

                Unknown

              Vendor Statement

              No statement is currently available from the vendor regarding this vulnerability.

              Vendor References

                Barracuda Networks

                Notified:  February 17, 2016 Updated:  February 17, 2016

                Status

                  Unknown

                Vendor Statement

                No statement is currently available from the vendor regarding this vulnerability.

                Vendor References

                  Belkin, Inc.

                  Notified:  February 17, 2016 Updated:  February 17, 2016

                  Status

                    Unknown

                  Vendor Statement

                  No statement is currently available from the vendor regarding this vulnerability.

                  Vendor References

                    Brocade Communication Systems

                    Notified:  February 17, 2016 Updated:  February 17, 2016

                    Status

                      Unknown

                    Vendor Statement

                    No statement is currently available from the vendor regarding this vulnerability.

                    Vendor References

                      CA Technologies

                      Notified:  February 17, 2016 Updated:  February 17, 2016

                      Status

                        Unknown

                      Vendor Statement

                      No statement is currently available from the vendor regarding this vulnerability.

                      Vendor References

                        Check Point Software Technologies

                        Notified:  February 17, 2016 Updated:  February 17, 2016

                        Status

                          Unknown

                        Vendor Statement

                        No statement is currently available from the vendor regarding this vulnerability.

                        Vendor References

                          Contiki OS

                          Notified:  February 17, 2016 Updated:  February 17, 2016

                          Status

                            Unknown

                          Vendor Statement

                          No statement is currently available from the vendor regarding this vulnerability.

                          Vendor References

                            CoreOS

                            Notified:  February 17, 2016 Updated:  February 17, 2016

                            Status

                              Unknown

                            Vendor Statement

                            No statement is currently available from the vendor regarding this vulnerability.

                            Vendor References

                              D-Link Systems, Inc.

                              Notified:  February 17, 2016 Updated:  February 17, 2016

                              Status

                                Unknown

                              Vendor Statement

                              No statement is currently available from the vendor regarding this vulnerability.

                              Vendor References

                                DesktopBSD

                                Notified:  February 17, 2016 Updated:  February 17, 2016

                                Status

                                  Unknown

                                Vendor Statement

                                No statement is currently available from the vendor regarding this vulnerability.

                                Vendor References

                                  DragonFly BSD Project

                                  Notified:  February 17, 2016 Updated:  February 17, 2016

                                  Status

                                    Unknown

                                  Vendor Statement

                                  No statement is currently available from the vendor regarding this vulnerability.

                                  Vendor References

                                    EMC Corporation

                                    Notified:  February 17, 2016 Updated:  February 17, 2016

                                    Status

                                      Unknown

                                    Vendor Statement

                                    No statement is currently available from the vendor regarding this vulnerability.

                                    Vendor References

                                      Enterasys Networks

                                      Notified:  February 17, 2016 Updated:  February 17, 2016

                                      Status

                                        Unknown

                                      Vendor Statement

                                      No statement is currently available from the vendor regarding this vulnerability.

                                      Vendor References

                                        Ericsson

                                        Notified:  February 17, 2016 Updated:  February 17, 2016

                                        Status

                                          Unknown

                                        Vendor Statement

                                        No statement is currently available from the vendor regarding this vulnerability.

                                        Vendor References

                                          European Registry for Internet Domains

                                          Notified:  February 17, 2016 Updated:  February 17, 2016

                                          Status

                                            Unknown

                                          Vendor Statement

                                          No statement is currently available from the vendor regarding this vulnerability.

                                          Vendor References

                                            Extreme Networks

                                            Notified:  February 17, 2016 Updated:  February 17, 2016

                                            Status

                                              Unknown

                                            Vendor Statement

                                            No statement is currently available from the vendor regarding this vulnerability.

                                            Vendor References

                                              F5 Networks, Inc.

                                              Notified:  February 17, 2016 Updated:  February 17, 2016

                                              Status

                                                Unknown

                                              Vendor Statement

                                              No statement is currently available from the vendor regarding this vulnerability.

                                              Vendor References

                                                Fedora Project

                                                Notified:  February 17, 2016 Updated:  February 17, 2016

                                                Status

                                                  Unknown

                                                Vendor Statement

                                                No statement is currently available from the vendor regarding this vulnerability.

                                                Vendor References

                                                  Force10 Networks

                                                  Notified:  February 17, 2016 Updated:  February 17, 2016

                                                  Status

                                                    Unknown

                                                  Vendor Statement

                                                  No statement is currently available from the vendor regarding this vulnerability.

                                                  Vendor References

                                                    Fortinet, Inc.

                                                    Notified:  February 17, 2016 Updated:  February 29, 2016

                                                    Statement Date:   February 29, 2016

                                                    Status

                                                      Unknown

                                                    Vendor Statement

                                                    No statement is currently available from the vendor regarding this vulnerability.

                                                    Vendor Information

                                                    The following products are confirmed to be not affected:

                                                        • FortiOS
                                                        • FortiSwitch
                                                        • FortiAnalyzer
                                                    Other products are in the course of being investigated. Please see the URL below for more information and updates.

                                                    Vendor References

                                                    Foundry Brocade

                                                    Notified:  February 17, 2016 Updated:  February 17, 2016

                                                    Status

                                                      Unknown

                                                    Vendor Statement

                                                    No statement is currently available from the vendor regarding this vulnerability.

                                                    Vendor References

                                                      FreeBSD Project

                                                      Notified:  February 17, 2016 Updated:  February 17, 2016

                                                      Status

                                                        Unknown

                                                      Vendor Statement

                                                      No statement is currently available from the vendor regarding this vulnerability.

                                                      Vendor References

                                                        GNU adns

                                                        Notified:  February 17, 2016 Updated:  February 17, 2016

                                                        Status

                                                          Unknown

                                                        Vendor Statement

                                                        No statement is currently available from the vendor regarding this vulnerability.

                                                        Vendor References

                                                          Google

                                                          Notified:  February 17, 2016 Updated:  February 17, 2016

                                                          Status

                                                            Unknown

                                                          Vendor Statement

                                                          No statement is currently available from the vendor regarding this vulnerability.

                                                          Vendor References

                                                            Hardened BSD

                                                            Notified:  February 17, 2016 Updated:  February 17, 2016

                                                            Status

                                                              Unknown

                                                            Vendor Statement

                                                            No statement is currently available from the vendor regarding this vulnerability.

                                                            Vendor References

                                                              Hewlett Packard Enterprise

                                                              Notified:  February 17, 2016 Updated:  February 17, 2016

                                                              Status

                                                                Unknown

                                                              Vendor Statement

                                                              No statement is currently available from the vendor regarding this vulnerability.

                                                              Vendor References

                                                                Hitachi

                                                                Notified:  February 17, 2016 Updated:  February 17, 2016

                                                                Status

                                                                  Unknown

                                                                Vendor Statement

                                                                No statement is currently available from the vendor regarding this vulnerability.

                                                                Vendor References

                                                                  Huawei Technologies

                                                                  Notified:  February 17, 2016 Updated:  February 17, 2016

                                                                  Status

                                                                    Unknown

                                                                  Vendor Statement

                                                                  No statement is currently available from the vendor regarding this vulnerability.

                                                                  Vendor References

                                                                    IBM Corporation

                                                                    Notified:  February 17, 2016 Updated:  February 17, 2016

                                                                    Status

                                                                      Unknown

                                                                    Vendor Statement

                                                                    No statement is currently available from the vendor regarding this vulnerability.

                                                                    Vendor References

                                                                      IBM eServer

                                                                      Notified:  February 17, 2016 Updated:  February 17, 2016

                                                                      Status

                                                                        Unknown

                                                                      Vendor Statement

                                                                      No statement is currently available from the vendor regarding this vulnerability.

                                                                      Vendor References

                                                                        Infoblox

                                                                        Notified:  February 17, 2016 Updated:  February 17, 2016

                                                                        Status

                                                                          Unknown

                                                                        Vendor Statement

                                                                        No statement is currently available from the vendor regarding this vulnerability.

                                                                        Vendor References

                                                                          Intel Corporation

                                                                          Notified:  February 17, 2016 Updated:  February 17, 2016

                                                                          Status

                                                                            Unknown

                                                                          Vendor Statement

                                                                          No statement is currently available from the vendor regarding this vulnerability.

                                                                          Vendor References

                                                                            Internet Systems Consortium

                                                                            Notified:  February 17, 2016 Updated:  February 17, 2016

                                                                            Status

                                                                              Unknown

                                                                            Vendor Statement

                                                                            No statement is currently available from the vendor regarding this vulnerability.

                                                                            Vendor References

                                                                              Internet Systems Consortium - DHCP

                                                                              Notified:  February 17, 2016 Updated:  February 17, 2016

                                                                              Status

                                                                                Unknown

                                                                              Vendor Statement

                                                                              No statement is currently available from the vendor regarding this vulnerability.

                                                                              Vendor References

                                                                                JH Software

                                                                                Notified:  February 17, 2016 Updated:  February 17, 2016

                                                                                Status

                                                                                  Unknown

                                                                                Vendor Statement

                                                                                No statement is currently available from the vendor regarding this vulnerability.

                                                                                Vendor References

                                                                                  Juniper Networks

                                                                                  Notified:  February 17, 2016 Updated:  February 22, 2016

                                                                                  Statement Date:   February 19, 2016

                                                                                  Status

                                                                                    Unknown

                                                                                  Vendor Statement

                                                                                  No statement is currently available from the vendor regarding this vulnerability.

                                                                                  Vendor Information

                                                                                  The vendor has provided the following list. A statement is available at the URL below.

                                                                                  The following products have been confirmed to be not vulnerable to the glibc issue reported as CVE-2015-7547:

                                                                                      • ​​​​​Junos OS does not use glibc and is not affected by this issue.
                                                                                        Note: Linux VM-based platforms (e.g. vSRX, vMX, etc.) include glibc, but do not make use of DNS client libraries during normal operation.
                                                                                      • ​​Junos Space
                                                                                      • ScreenOS uses a different implementation of libc and is not affected by this issue.
                                                                                      • QFabric Director
                                                                                      • ​JUNOSe
                                                                                      • CTP and CTPView
                                                                                      • NSM server relies on underlying OS glibc library. Contact OS vendor
                                                                                      • SBR Carrier running on RHEL relies on the glibc library shipped with the OS.  Customers should contact the OS vendor to upgrade glibc.
                                                                                      • SBR Carrier running on Solaris is not vulnerable as it does not use this library.
                                                                                      • ​WX/WXC
                                                                                      • Netscreen IDP
                                                                                  Other products are still under investigation.​

                                                                                  Vendor References

                                                                                  Lynx Software Technologies

                                                                                  Notified:  February 17, 2016 Updated:  February 17, 2016

                                                                                  Status

                                                                                    Unknown

                                                                                  Vendor Statement

                                                                                  No statement is currently available from the vendor regarding this vulnerability.

                                                                                  Vendor References

                                                                                    McAfee

                                                                                    Notified:  February 17, 2016 Updated:  February 17, 2016

                                                                                    Status

                                                                                      Unknown

                                                                                    Vendor Statement

                                                                                    No statement is currently available from the vendor regarding this vulnerability.

                                                                                    Vendor References

                                                                                      Microsoft Corporation

                                                                                      Notified:  February 17, 2016 Updated:  February 17, 2016

                                                                                      Status

                                                                                        Unknown

                                                                                      Vendor Statement

                                                                                      No statement is currently available from the vendor regarding this vulnerability.

                                                                                      Vendor References

                                                                                        NEC Corporation

                                                                                        Notified:  February 17, 2016 Updated:  February 17, 2016

                                                                                        Status

                                                                                          Unknown

                                                                                        Vendor Statement

                                                                                        No statement is currently available from the vendor regarding this vulnerability.

                                                                                        Vendor References

                                                                                          NLnet Labs

                                                                                          Notified:  February 17, 2016 Updated:  February 17, 2016

                                                                                          Status

                                                                                            Unknown

                                                                                          Vendor Statement

                                                                                          No statement is currently available from the vendor regarding this vulnerability.

                                                                                          Vendor References

                                                                                            NetBSD

                                                                                            Notified:  February 17, 2016 Updated:  February 17, 2016

                                                                                            Status

                                                                                              Unknown

                                                                                            Vendor Statement

                                                                                            No statement is currently available from the vendor regarding this vulnerability.

                                                                                            Vendor References

                                                                                              Nokia

                                                                                              Notified:  February 17, 2016 Updated:  February 17, 2016

                                                                                              Status

                                                                                                Unknown

                                                                                              Vendor Statement

                                                                                              No statement is currently available from the vendor regarding this vulnerability.

                                                                                              Vendor References

                                                                                                Nominum

                                                                                                Notified:  February 17, 2016 Updated:  February 17, 2016

                                                                                                Status

                                                                                                  Unknown

                                                                                                Vendor Statement

                                                                                                No statement is currently available from the vendor regarding this vulnerability.

                                                                                                Vendor References

                                                                                                  OmniTI

                                                                                                  Notified:  February 17, 2016 Updated:  February 17, 2016

                                                                                                  Status

                                                                                                    Unknown

                                                                                                  Vendor Statement

                                                                                                  No statement is currently available from the vendor regarding this vulnerability.

                                                                                                  Vendor References

                                                                                                    OpenBSD

                                                                                                    Notified:  February 17, 2016 Updated:  February 17, 2016

                                                                                                    Status

                                                                                                      Unknown

                                                                                                    Vendor Statement

                                                                                                    No statement is currently available from the vendor regarding this vulnerability.

                                                                                                    Vendor References

                                                                                                      OpenDNS

                                                                                                      Notified:  February 17, 2016 Updated:  February 17, 2016

                                                                                                      Status

                                                                                                        Unknown

                                                                                                      Vendor Statement

                                                                                                      No statement is currently available from the vendor regarding this vulnerability.

                                                                                                      Vendor References

                                                                                                        Oracle Corporation

                                                                                                        Notified:  February 17, 2016 Updated:  February 17, 2016

                                                                                                        Status

                                                                                                          Unknown

                                                                                                        Vendor Statement

                                                                                                        No statement is currently available from the vendor regarding this vulnerability.

                                                                                                        Vendor References

                                                                                                          Peplink

                                                                                                          Notified:  February 17, 2016 Updated:  February 17, 2016

                                                                                                          Status

                                                                                                            Unknown

                                                                                                          Vendor Statement

                                                                                                          No statement is currently available from the vendor regarding this vulnerability.

                                                                                                          Vendor References

                                                                                                            PowerDNS

                                                                                                            Notified:  February 17, 2016 Updated:  February 17, 2016

                                                                                                            Status

                                                                                                              Unknown

                                                                                                            Vendor Statement

                                                                                                            No statement is currently available from the vendor regarding this vulnerability.

                                                                                                            Vendor References

                                                                                                              Q1 Labs

                                                                                                              Notified:  February 17, 2016 Updated:  February 17, 2016

                                                                                                              Status

                                                                                                                Unknown

                                                                                                              Vendor Statement

                                                                                                              No statement is currently available from the vendor regarding this vulnerability.

                                                                                                              Vendor References

                                                                                                                QNX Software Systems Inc.

                                                                                                                Notified:  February 17, 2016 Updated:  February 17, 2016

                                                                                                                Status

                                                                                                                  Unknown

                                                                                                                Vendor Statement

                                                                                                                No statement is currently available from the vendor regarding this vulnerability.

                                                                                                                Vendor References

                                                                                                                  SUSE Linux

                                                                                                                  Notified:  February 17, 2016 Updated:  February 17, 2016

                                                                                                                  Status

                                                                                                                    Unknown

                                                                                                                  Vendor Statement

                                                                                                                  No statement is currently available from the vendor regarding this vulnerability.

                                                                                                                  Vendor References

                                                                                                                    SafeNet

                                                                                                                    Notified:  February 17, 2016 Updated:  February 17, 2016

                                                                                                                    Status

                                                                                                                      Unknown

                                                                                                                    Vendor Statement

                                                                                                                    No statement is currently available from the vendor regarding this vulnerability.

                                                                                                                    Vendor References

                                                                                                                      Secure64 Software Corporation

                                                                                                                      Notified:  February 17, 2016 Updated:  February 17, 2016

                                                                                                                      Status

                                                                                                                        Unknown

                                                                                                                      Vendor Statement

                                                                                                                      No statement is currently available from the vendor regarding this vulnerability.

                                                                                                                      Vendor References

                                                                                                                        Slackware Linux Inc.

                                                                                                                        Notified:  February 17, 2016 Updated:  February 17, 2016

                                                                                                                        Status

                                                                                                                          Unknown

                                                                                                                        Vendor Statement

                                                                                                                        No statement is currently available from the vendor regarding this vulnerability.

                                                                                                                        Vendor References

                                                                                                                          SmoothWall

                                                                                                                          Notified:  February 17, 2016 Updated:  February 17, 2016

                                                                                                                          Status

                                                                                                                            Unknown

                                                                                                                          Vendor Statement

                                                                                                                          No statement is currently available from the vendor regarding this vulnerability.

                                                                                                                          Vendor References

                                                                                                                            Snort

                                                                                                                            Notified:  February 17, 2016 Updated:  February 17, 2016

                                                                                                                            Status

                                                                                                                              Unknown

                                                                                                                            Vendor Statement

                                                                                                                            No statement is currently available from the vendor regarding this vulnerability.

                                                                                                                            Vendor References

                                                                                                                              Sony Corporation

                                                                                                                              Notified:  February 17, 2016 Updated:  February 17, 2016

                                                                                                                              Status

                                                                                                                                Unknown

                                                                                                                              Vendor Statement

                                                                                                                              No statement is currently available from the vendor regarding this vulnerability.

                                                                                                                              Vendor References

                                                                                                                                Sourcefire

                                                                                                                                Notified:  February 17, 2016 Updated:  February 17, 2016

                                                                                                                                Status

                                                                                                                                  Unknown

                                                                                                                                Vendor Statement

                                                                                                                                No statement is currently available from the vendor regarding this vulnerability.

                                                                                                                                Vendor References

                                                                                                                                  Symantec

                                                                                                                                  Notified:  February 17, 2016 Updated:  February 17, 2016

                                                                                                                                  Status

                                                                                                                                    Unknown

                                                                                                                                  Vendor Statement

                                                                                                                                  No statement is currently available from the vendor regarding this vulnerability.

                                                                                                                                  Vendor References

                                                                                                                                    TippingPoint Technologies Inc.

                                                                                                                                    Notified:  February 17, 2016 Updated:  February 17, 2016

                                                                                                                                    Status

                                                                                                                                      Unknown

                                                                                                                                    Vendor Statement

                                                                                                                                    No statement is currently available from the vendor regarding this vulnerability.

                                                                                                                                    Vendor References

                                                                                                                                      Turbolinux

                                                                                                                                      Notified:  February 17, 2016 Updated:  February 17, 2016

                                                                                                                                      Status

                                                                                                                                        Unknown

                                                                                                                                      Vendor Statement

                                                                                                                                      No statement is currently available from the vendor regarding this vulnerability.

                                                                                                                                      Vendor References

                                                                                                                                        Unisys

                                                                                                                                        Notified:  February 17, 2016 Updated:  February 17, 2016

                                                                                                                                        Status

                                                                                                                                          Unknown

                                                                                                                                        Vendor Statement

                                                                                                                                        No statement is currently available from the vendor regarding this vulnerability.

                                                                                                                                        Vendor References

                                                                                                                                          VMware

                                                                                                                                          Notified:  February 17, 2016 Updated:  February 17, 2016

                                                                                                                                          Status

                                                                                                                                            Unknown

                                                                                                                                          Vendor Statement

                                                                                                                                          No statement is currently available from the vendor regarding this vulnerability.

                                                                                                                                          Vendor References

                                                                                                                                            Wind River

                                                                                                                                            Notified:  February 17, 2016 Updated:  February 17, 2016

                                                                                                                                            Status

                                                                                                                                              Unknown

                                                                                                                                            Vendor Statement

                                                                                                                                            No statement is currently available from the vendor regarding this vulnerability.

                                                                                                                                            Vendor References

                                                                                                                                              Xilinx

                                                                                                                                              Notified:  February 17, 2016 Updated:  February 17, 2016

                                                                                                                                              Status

                                                                                                                                                Unknown

                                                                                                                                              Vendor Statement

                                                                                                                                              No statement is currently available from the vendor regarding this vulnerability.

                                                                                                                                              Vendor References

                                                                                                                                                ZyXEL

                                                                                                                                                Notified:  February 17, 2016 Updated:  February 17, 2016

                                                                                                                                                Status

                                                                                                                                                  Unknown

                                                                                                                                                Vendor Statement

                                                                                                                                                No statement is currently available from the vendor regarding this vulnerability.

                                                                                                                                                Vendor References

                                                                                                                                                  dnsmasq

                                                                                                                                                  Notified:  February 17, 2016 Updated:  February 17, 2016

                                                                                                                                                  Status

                                                                                                                                                    Unknown

                                                                                                                                                  Vendor Statement

                                                                                                                                                  No statement is currently available from the vendor regarding this vulnerability.

                                                                                                                                                  Vendor References

                                                                                                                                                    gdnsd

                                                                                                                                                    Notified:  February 17, 2016 Updated:  February 17, 2016

                                                                                                                                                    Status

                                                                                                                                                      Unknown

                                                                                                                                                    Vendor Statement

                                                                                                                                                    No statement is currently available from the vendor regarding this vulnerability.

                                                                                                                                                    Vendor References

                                                                                                                                                      m0n0wall

                                                                                                                                                      Notified:  February 17, 2016 Updated:  February 17, 2016

                                                                                                                                                      Status

                                                                                                                                                        Unknown

                                                                                                                                                      Vendor Statement

                                                                                                                                                      No statement is currently available from the vendor regarding this vulnerability.

                                                                                                                                                      Vendor References

                                                                                                                                                        openSUSE project

                                                                                                                                                        Notified:  February 17, 2016 Updated:  February 17, 2016

                                                                                                                                                        Status

                                                                                                                                                          Unknown

                                                                                                                                                        Vendor Statement

                                                                                                                                                        No statement is currently available from the vendor regarding this vulnerability.

                                                                                                                                                        Vendor References

                                                                                                                                                          View all 92 vendors View less vendors


                                                                                                                                                          CVSS Metrics

                                                                                                                                                          Group Score Vector
                                                                                                                                                          Base 10.0 AV:N/AC:L/Au:N/C:C/I:C/A:C
                                                                                                                                                          Temporal 8.1 E:POC/RL:TF/RC:C
                                                                                                                                                          Environmental 8.1 CDP:ND/TD:H/CR:ND/IR:ND/AR:ND

                                                                                                                                                          References

                                                                                                                                                          Acknowledgements

                                                                                                                                                          This vulnerability was disclosed by Fermin J. Serna and Kevin Stadmeyer of Google and Florian Weimer and Carlos O𠆝onell of Red Hat. Google thanks: "Neel Mehta, Thomas Garnier, Gynvael Coldwind, Michael Schaller, Tom Payne, Michael Haro, Damian Menscher, Matt Brown, Yunhong Gu, Florian Weimer, Carlos O𠆝onell and the rest of the glibc team for their help figuring out all details about this bug, exploitation, and patch development."

                                                                                                                                                          This document was written by Garret Wassermann.

                                                                                                                                                          Other Information

                                                                                                                                                          CVE IDs: CVE-2015-7547
                                                                                                                                                          Date Public: 2016-02-16
                                                                                                                                                          Date First Published: 2016-02-17
                                                                                                                                                          Date Last Updated: 2016-03-14 14:25 UTC
                                                                                                                                                          Document Revision: 51

                                                                                                                                                          Sponsored by the Department of Homeland Security Office of Cybersecurity and Communications.