Securing MarkLogic against glibc library vulnerability CVE-2015-7547 glibc getaddrinfo() stack-based buffer overflow
18 February 2016 10:35 AM
This knowledge base discusses the various aspect of vulnerabilty found in glibc library (CVE-2015-7547) in respect to MarkLogic Server.
Please note - We do not expect any changes to be done at MarkLogic Application software level to protect against vulnerability, but we highly recommend that affected Linux OS platform (using affected library version) get latest patch to protect against exposure.
1) MarkLogic Dependency
Application layer software like MarkLogic relies on underneath Operating System for various operations, critically Memory Managment. On Linux platform, glibc library is the prime lirbary package, providing different memory capability to Application layer.
MarkLogic package installation depends upon the avaibility of glibc library from OS layer (Checking MarkLogic rpm for dependency).
After Installation Dynamic Library Load for MarkLogic binary on Test Platform
2) glibc library Vulnerability (CVE-2015-7547)
The code that causes the vulnerability was introduced in May 2008 as part of glibc 2.9, and only present in glibc's copy of libresolv which has enhancements to carry out parallel A and AAAA queries. Therefore only programs using glibc's copy of the code have this problem.
Please read further at - https://sourceware.org/ml/libc-alpha/2016-02/msg00416.html
3) Patch for Red Hat Enterprise Linux 6 & 7
This issue does not affect the versions of glibc as shipped with Red Hat Enterprise Linux 3, 4 and 5.
GHOST: glibc vulnerability (CVE-2015-0235) - https://access.redhat.com/articles/1332213