Amazon Linux AMI update for glibc



Published: 2019-11-23
Risk Low
Patch available YES
Number of vulnerabilities 1
CVE-ID CVE-2016-10739
CWE-ID CWE-20
Exploitation vector Network
Public exploit N/A
Vulnerable software
Subscribe 		Amazon Linux AMI
Operating systems & Components / Operating system

Vendor Amazon Web Services

Security Bulletin

This security bulletin contains one low risk vulnerability.

1) Input validation error

EUVDB-ID: #VU17105

Risk: Low

CVSSv3.1: 4.9 [CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L/E:U/RL:O/RC:C]

CVE-ID: CVE-2016-10739

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows a remote attacker to bypass certain security restrictions.

The vulnerability exists due to the getaddrinfo() function accepts an IPv4 address followed by whitespace and arbitrary characters and treats his input as a correct IPv4 address. Software that accepts input from the getaddrinfo() function may incorrectly assume that the function return IPv4 address only. As a result, a remote attacker can inject arbitrary data into the IPv4 address and change application's behavior that relies on getaddrinfo() output (e.g., inject HTTP headers or other potentially dangerous strings).


Mitigation

Update the affected packages:

i686:
    nscd-2.17-292.178.amzn1.i686
    glibc-common-2.17-292.178.amzn1.i686
    glibc-debuginfo-common-2.17-292.178.amzn1.i686
    glibc-devel-2.17-292.178.amzn1.i686
    glibc-static-2.17-292.178.amzn1.i686
    glibc-debuginfo-2.17-292.178.amzn1.i686
    glibc-utils-2.17-292.178.amzn1.i686
    glibc-2.17-292.178.amzn1.i686
    glibc-headers-2.17-292.178.amzn1.i686

src:
    glibc-2.17-292.178.amzn1.src

x86_64:
    glibc-static-2.17-292.178.amzn1.x86_64
    glibc-headers-2.17-292.178.amzn1.x86_64
    glibc-2.17-292.178.amzn1.x86_64
    glibc-debuginfo-common-2.17-292.178.amzn1.x86_64
    glibc-devel-2.17-292.178.amzn1.x86_64
    nscd-2.17-292.178.amzn1.x86_64
    glibc-common-2.17-292.178.amzn1.x86_64
    glibc-debuginfo-2.17-292.178.amzn1.x86_64
    glibc-utils-2.17-292.178.amzn1.x86_64

Vulnerable software versions

Amazon Linux AMI: All versions

External links

http://alas.aws.amazon.com/ALAS-2019-1320.html


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.



###SIDEBAR###