Ubuntu update for glibc



Published: 2022-10-26
Risk Medium
Patch available YES
Number of vulnerabilities 2
CVE-ID CVE-2021-3326
CVE-2021-35942
CWE-ID CWE-617
CWE-190
Exploitation vector Network
Public exploit N/A
Vulnerable software
Subscribe
Ubuntu
Operating systems & Components / Operating system

libc6 (Ubuntu package)
Operating systems & Components / Operating system package or component

Vendor Canonical Ltd.

Security Bulletin

This security bulletin contains information about 2 vulnerabilities.

1) Reachable Assertion

EUVDB-ID: #VU50075

Risk: Medium

CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2021-3326

CWE-ID: CWE-617 - Reachable Assertion

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to a reachable assertion within the iconv function in the GNU C Library (aka glibc or libc6) when processing invalid input sequences in the ISO-2022-JP-3 encoding. A remote attacker can pass specially crafted data to the application, trigger an assertion failure and crash the affected application.

Mitigation

Update the affected package glibc to the latest version.

Vulnerable software versions

Ubuntu: 16.04

libc6 (Ubuntu package): before Ubuntu Pro (Infra-only)

External links

http://ubuntu.com/security/notices/USN-5699-1


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

2) Integer overflow

EUVDB-ID: #VU55972

Risk: Medium

CVSSv3.1: 6.4 [CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2021-35942

CWE-ID: CWE-190 - Integer overflow

Exploit availability: No

Description

The vulnerability allows a remote attacker to gain access to sensitive information or perform a DoS attack.

The vulnerability exists due to integer overflow in parse_param in posix/wordexp.c in the GNU C Library when called with an untrusted pattern. A remote attacker can pass specially crafted data to the application, trigger integer overflow and read arbitrary memory on the system of perform a denial of service (DoS) attack.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation

Update the affected package glibc to the latest version.

Vulnerable software versions

Ubuntu: 16.04

libc6 (Ubuntu package): before Ubuntu Pro (Infra-only)

External links

http://ubuntu.com/security/notices/USN-5699-1


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.



###SIDEBAR###