MarkLogic 10 and Data Hub 5.0

Latest MarkLogic releases provide a smarter, simpler, and more secure way to integrate data.

Read Blog →


Stay On Top Of Everything MarkLogic

Be the first to know! News, product information, and events delivered straight to your inbox.

Sign Me Up →

Securing MarkLogic against glibc library vulnerability CVE-2015-7547 glibc getaddrinfo() stack-based buffer overflow
18 February 2016 10:35 AM


This knowledge base discusses the various aspect of vulnerabilty found in glibc library (CVE-2015-7547) in respect to MarkLogic Server.

Please note - We do not expect any changes to be done at MarkLogic Application software level to protect against vulnerability, but we highly recommend that affected Linux OS platform (using affected library version) get latest patch to protect against exposure. 


1) MarkLogic Dependency 

Application layer software like MarkLogic relies on underneath Operating System for various operations, critically Memory Managment. On Linux platform, glibc library is the prime lirbary package, providing different memory capability to Application layer.

MarkLogic package installation depends upon the avaibility of glibc library from OS layer (Checking MarkLogic rpm for dependency).

$ rpm -qpR MarkLogic-8.0-4.2.x86_64.rpm 
rpmlib(PayloadFilesHavePrefix) <= 4.0-1
rpmlib(CompressedFileNames) <= 3.0.4-1
rpmlib(PayloadIsXz) <= 5.2-1

After Installation Dynamic Library Load for MarkLogic binary on Test Platform

$ pwd

$ ldd MarkLogic | grep => /lib64/ (0x000000316aa00000)

$ ls -al /lib/ 
lrwxrwxrwx. 1 root root 12 Oct 28 2014 /lib/ -> 


2) glibc library Vulnerability (CVE-2015-7547)

The code that causes the vulnerability was introduced in May 2008 as part of glibc 2.9, and only present in glibc's copy of libresolv which has enhancements to carry out parallel A and AAAA queries. Therefore only programs using glibc's copy of the code have this problem.

Please read further at -


3) Patch for Red Hat Enterprise Linux 6 & 7 

This issue does not affect the versions of glibc as shipped with Red Hat Enterprise Linux 3, 4 and 5.
For Red Hat Enterprise Linux version 6 & 7, Red Hat has made latest packages with fix available as of - 02/16/2016 (below url)


Related Reading

GHOST: glibc vulnerability (CVE-2015-0235) -


(1 vote(s))
Not helpful

Comments (0)