Knowledgebase:
Securing MarkLogic against glibc library vulnerability CVE-2015-7547 glibc getaddrinfo() stack-based buffer overflow
18 February 2016 10:35 AM

Summary

This knowledge base discusses the various aspect of vulnerabilty found in glibc library (CVE-2015-7547) in respect to MarkLogic Server.

Please note - We do not expect any changes to be done at MarkLogic Application software level to protect against vulnerability, but we highly recommend that affected Linux OS platform (using affected library version) get latest patch to protect against exposure. 

 

1) MarkLogic Dependency 

Application layer software like MarkLogic relies on underneath Operating System for various operations, critically Memory Managment. On Linux platform, glibc library is the prime lirbary package, providing different memory capability to Application layer.

MarkLogic package installation depends upon the avaibility of glibc library from OS layer (Checking MarkLogic rpm for dependency).

$ rpm -qpR MarkLogic-8.0-4.2.x86_64.rpm 
lsb 
gdb 
libc.so.6(GLIBC_2.11)(64bit) 
libgcc_s.so.1()(64bit) 
libstdc++.so.6()(64bit) 
libc.so.6(GLIBC_2.11) 
cyrus-sasl 
/bin/sh 
/bin/sh 
rpmlib(PayloadFilesHavePrefix) <= 4.0-1
rpmlib(CompressedFileNames) <= 3.0.4-1
rpmlib(PayloadIsXz) <= 5.2-1

After Installation Dynamic Library Load for MarkLogic binary on Test Platform

$ pwd
/opt/MarkLogic/bin

$ ldd MarkLogic | grep libc.so
libc.so.6 => /lib64/libc.so.6 (0x000000316aa00000)

$ ls -al /lib/libc.so.6 
lrwxrwxrwx. 1 root root 12 Oct 28 2014 /lib/libc.so.6 -> libc-2.12.so 

 

2) glibc library Vulnerability (CVE-2015-7547)

The code that causes the vulnerability was introduced in May 2008 as part of glibc 2.9, and only present in glibc's copy of libresolv which has enhancements to carry out parallel A and AAAA queries. Therefore only programs using glibc's copy of the code have this problem.

Please read further at - https://sourceware.org/ml/libc-alpha/2016-02/msg00416.html

 

3) Patch for Red Hat Enterprise Linux 6 & 7 

This issue does not affect the versions of glibc as shipped with Red Hat Enterprise Linux 3, 4 and 5.
For Red Hat Enterprise Linux version 6 & 7, Red Hat has made latest packages with fix available as of - 02/16/2016 (below url)
https://access.redhat.com/security/cve/cve-2015-7547

 

Related Reading

GHOST: glibc vulnerability (CVE-2015-0235) - https://access.redhat.com/articles/1332213

US-CERT: https://www.us-cert.gov/ncas/current-activity/2016/02/17/GNU-glibc-Vulnerability

(1 vote(s))
Helpful
Not helpful

Comments (0)