Overview
GHOST / CVE-2015-0235 is a ‘buffer overflow’ vulnerability affecting the gethostbyname() function calls in the glibc library. An attacker could exploit this vulnerability to execute code on a remote host by supplying an invalid DNS response.
Vulnerable systems
If your glibc library is equal or below version 2.17, you are probably vulnerable to CVE-2015-0235.
- RedHat - GHOST: glibc vulnerability (CVE-2015-0235)
- Ubuntu - CVE-2015-0235
- Debian Security Tracker - CVE-2015-0235
Non-vulnerable systems
If your glibc library is equal or above version 2.18, you are not vulnerable to CVE-2015-0235.
PHP
PHP code relying on the native glibc gethostbyname() system call is vulnerable as mentioned by sucuri. We advise to review the code and ensure that the native glibc library and the PHP interpreter ispatched.
Java
If your code relies on the java_net_Inet4AddressImpl class (in JDK 7), it calls natively gethostbyname() (if compiled with GLIBC option which is the case for any standard GNU/Linux distribution).
JDK 7 - java.net.Inet4AddressImpl class
Java application which relies on the java.net.Inet4AddressImpl class with the associated methods relying on the gethostbyname() calls are vulnerable if the underlying operating system/glibc is not patched.
It’s also recommended to restart Java application after the glibc updates as the dynamic library might be cached by the JVM.
JK 8 (java_net_Inet4AddressImpl class), gethostbyname() was replaced by a patch in November 2011 by getaddrinfo() which is not vulnerable.
JDK 8 Update replacing gethostbyname() by getaddrinfo() JDK 8 - getaddrinfo() patch
So Java (JDK7 or JDK8 before November 2011) applications, checking records from non-trusted DNS records, are vulnerable to the GHOST vulnerability if the glibc is not patched or using an older glibc < 2.18).
Classification of this document
TLP:WHITE information may be distributed without restriction, subject to copyright controls.
Revision
- Version 1.0 - TLP:WHITE - First version