Skip to main content
Skip table of contents

ISN 2022-03: Glibc Denial of Service in IGEL OS

First published 9th March 2022

CVSS 3.1 Base Score: 8.1 (High)

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Summary

Multiple vulnerabilities have been found in the GNU C Library (glibc). This affects the following IGEL products:

  • IGEL OS 11
  • IGEL OS 10

Details

Security issues have been discovered in Glibc features such as iconv (CVE-2016-10228, CVE-2019-25013, CVE-2020-27618, CVE-2020-29562, CVE-2021-3326), nscd (CVE-2021-27645) and sunrpc (CVE-2022-23218, CVE-2022-23219). A remote attacker could use these to cause the GNU C Library to hang or crash, resulting in a denial of service. Additionally, the features wordexp (CVE-2021-35942) and realpath (CVE-2021-3998) could be made to disclose information. The vulnerability in getcwd (CVE-2021-3999) could possibly be used to execute arbitrary code.

Update Instructions

  • IGEL OS 11: Update to version 11.07.100 (to be released on 29th March 2022) or newer
  • IGEL OS 10: Upgrade to IGEL OS 11.07.100 (to be released on 29th March 2022) or newer

Mitigation

  • The issues CVE-2022-23218 and CVE-2022-23219 in sunrpc can be mitigated by mounting NFS shares from trusted NFS servers only.

References

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close