Questions? Feedback? powered by Olark live chat software
Knowledgebase
Author Avatar

Updating for Vulnerability CVE-2015-7547

Written by: on 22 February 2016 12:33 PM 22 February 2016 12:33 PM

Find out details about red hat support for the Common Vulnerability. Learn it youself by following step by step tutorial.

Overview

The Google Security Team and Red Hat have discovered a flaw in the way that certain types of DNS lookups are handled on some Linux servers. By exploiting this critical vulnerability, an attacker could gain full control over the system.

Impact

The code that causes the vulnerability was introduced in a 2008 update to the GNU C Library (glibc). That package contains a library against which all GNU/Linux programs are linked, and the flaw affects the version of glibc included in a number of current Linux distributions:

  • CentOS 6 and 7
  • Fedora 22 and 23
  • Ubuntu 12.04 LTS, 14.04 LTS
  • Debian 6 (squeeze), 7 (wheezy)

Resolution

On affected servers, glibc needs to be updated and the server rebooted. 

First SSH to the server, see: https://www.vpsblocks.com.au/support/Knowledgebase/Article/View/41/0/how-do-i-use-ssh 

Step #1: Check the Current glibc Version

  1. On CentOS 6 and CentOS 7 servers, run:

    yum list glibc

    That will produce output similar to:

    [root@host ~]# yum list glibc
    Installed Packages
    glibc.x86_64     2.17-106.el7_2.1     @system-updates-released
    Available Packages
    glibc.i686     2.17-106.el7_2.1     system-updates-released

    The currently installed version is listed under Installed Packages.

  2. On Fedora 22 and Fedora 23 servers, run:

    dnf list glibc

    That will produce output similar to:

    [root@host ~]# dnf list glibc
    Installed Packages
    glibc.x86_64     2.21-5.fc22     @System
    Available Packages
    glibc.i686     2.21-5.fc22     fedora

    The currently installed version is listed under Installed Packages.

  3. On Debian (6, 7) and Ubuntu (12.04 LTS, 14.04) servers, run:

    ldd --version

    That will produce output similar to:

    [root@host ~]# ldd --version
    ldd (Ubuntu EGLIBC 2.21-0ubuntu4.1) 2.19
    Copyright (C) 2012 Free Software Foundation, Inc.
    This is free software; see the source for copying conditions. There is NO
    warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
    Written by Roland McGrath and Ulrich Drepper.

    The currently installed version in this example is 2.21-0ubuntu4.1.

Step #2: Is the Installed Version Vulnerable?

If the version returned by the command you ran above matches (or exceeds) the version listed below for your operating system, then the vulnerability already has been patched:

  • Patched versions:
  • CentOS 6: glibc-2.12-1.166.el6_7.7
  • CentOS 7: glibc-2.17-106.el7_2.4
  • Fedora 22: glibc-2.21-11.fc22
  • Fedora 23: glibc-2.22-9.fc23
  • Debian 6 (squeeze): eglibc 2.11.3-4+deb6u11
  • Debian 7 (wheezy): eglibc 2.13-38+deb7u10
  • Ubuntu 14.04 LTS: libc6 2.19-0ubuntu6.7
  • Ubuntu 12.04 LTS: libc6 2.15-0ubuntu10.13

If the version returned by the command you ran in Step 1 is lower than what’s listed above for your operating system you will need to proceed to Step 3 to upgrade and reboot.

Step #3: Update glibc on a Self-Managed Server

Run these commands as root to update and reboot:

  1. On Debian (6, 7) and Ubuntu (12.04 LTS, 14.04 LTS) servers:
    apt-get update
    apt-get upgrade
    reboot

     

  2. On CentOS 6 and CentOS 7 servers (to update only glibc):
    yum clean all
    yum update glibc
    reboot

    On CentOS 6 and CentOS 7 servers (to update all packages -recommended):
    yum install yum-utils -y && package-cleanup --oldkernels --count=1 -y && sed -i 's/installonly_limit=.*/installonly_limit=2/g' /etc/yum.conf && yum clean all && yum update -y
    reboot

     

  3. On Fedora 22 and Fedora 23 servers:
    dnf clean all
    dnf update
    reboot

     

Note: Please remember that following these steps, you must reboot the server in order for the update to take effect and ensure you’ve been secured. If you need assistance with this, please contact support and we can do this for you. This will require a server reboot to install the updates.
(0 vote(s))
Helpful
Not helpful