First published 9th March 2022

CVSS 3.1 Base Score: 8.1 (High)

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Summary

Multiple vulnerabilities have been found in the GNU C Library (glibc). This affects the following IGEL products:

  • IGEL OS 11
  • IGEL OS 10

Details

Security issues have been discovered in Glibc features such as iconv (CVE-2016-10228, CVE-2019-25013, CVE-2020-27618, CVE-2020-29562, CVE-2021-3326), nscd (CVE-2021-27645) and sunrpc (CVE-2022-23218, CVE-2022-23219). A remote attacker could use these to cause the GNU C Library to hang or crash, resulting in a denial of service. Additionally, the features wordexp (CVE-2021-35942) and realpath (CVE-2021-3998) could be made to disclose information. The vulnerability in getcwd (CVE-2021-3999) could possibly be used to execute arbitrary code.

Update Instructions

  • IGEL OS 11: Update to version 11.07.100 (to be released on 29th March 2022) or newer
  • IGEL OS 10: Upgrade to IGEL OS 11.07.100 (to be released on 29th March 2022) or newer

Mitigation

  • The issues CVE-2022-23218 and CVE-2022-23219 in sunrpc can be mitigated by mounting NFS shares from trusted NFS servers only.

References