Download page ISN 2022-03: Glibc Denial of Service in IGEL OS.
ISN 2022-03: Glibc Denial of Service in IGEL OS
First published 9th March 2022
CVSS 3.1 Base Score: 8.1 (High)
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Summary
Multiple vulnerabilities have been found in the GNU C Library (glibc). This affects the following IGEL products:
IGEL OS 11
IGEL OS 10
Details
Security issues have been discovered in Glibc features such as iconv (CVE-2016-10228, CVE-2019-25013, CVE-2020-27618, CVE-2020-29562, CVE-2021-3326), nscd (CVE-2021-27645) and sunrpc (CVE-2022-23218, CVE-2022-23219). A remote attacker could use these to cause the GNU C Library to hang or crash, resulting in a denial of service. Additionally, the features wordexp (CVE-2021-35942) and realpath (CVE-2021-3998) could be made to disclose information. The vulnerability in getcwd (CVE-2021-3999) could possibly be used to execute arbitrary code.
Update Instructions
IGEL OS 11: Update to version 11.07.100 (to be released on 29th March 2022) or newer
IGEL OS 10: Upgrade to IGEL OS 11.07.100 (to be released on 29th March 2022) or newer
Mitigation
The issues CVE-2022-23218 and CVE-2022-23219 in sunrpc can be mitigated by mounting NFS shares from trusted NFS servers only.