Security Bulletin: Multiple vulnerabilities in the GNU C Library (glibc) affect PowerKVM

Vulnerability Details

CVEID: CVE-2015-7547
DESCRIPTION: GNU C Library (glibc) is vulnerable to a stack-based buffer overflow, caused by improper bounds checking by the nss_dns backend for the getaddrinfo() function when performing dual A/AAAA DNS queries. By sending a specially crafted DNS response, a remote attacker could overflow a buffer and execute arbitrary code on the system or cause the application to crash.
CVSS Base Score: 8.1
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/110662 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H)

CVEID: CVE-2013-7423
DESCRIPTION: GNU glibc could allow a local attacker to obtain sensitive information, caused by the writing of DNS queries to random file descriptors under high load by the getaddrinfo() function. An attacker could exploit this vulnerability to obtain sensitive information.
CVSS Base Score: 1.2
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/100647 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:L/AC:H/Au:N/C:P/I:N/A:N)

CVEID: CVE-2015-1472
DESCRIPTION: GNU glibc is vulnerable to a heap-based buffer overflow, caused by improper bounds checking by stdio-common/vfscanf.c. By sending an overly long string, a local attacker could overflow a buffer and execute arbitrary code on the system or cause a denial of service.
CVSS Base Score: 4.6
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/100635 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:L/AC:L/Au:N/C:P/I:P/A:P)

CVEID: CVE-2015-1473
DESCRIPTION: GNU glibc is vulnerable to a denial of service, caused by a stack-based buffer overflow in stdio-common/vfscanf.c. A remote attacker could exploit this vulnerability to trigger a failed alloca and cause a denial of service.
CVSS Base Score: 4.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/100636 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:N/A:P)

CVEID: CVE-2015-1781
DESCRIPTION: GNU C Library (glibc) is vulnerable to a buffer overflow, caused by improper bounds checking by the gethostbyname_r() and other related functions. By sending a specially-crafted argument, a remote attacker could overflow a buffer and execute arbitrary code on the system elevated privileges or cause the application to crash.
CVSS Base Score: 5.1
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/102500 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:H/Au:N/C:P/I:P/A:P)

CVEID: CVE-2015-5229
DESCRIPTION: GNU C Library (glibc) is vulnerable to a denial of service, caused by the return of memory areas containing non-zero bytes by the calloc implementation. A remote attacker could exploit this vulnerability to cause the application to crash or hang.
CVSS Base Score: 3.7
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/110711 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L)

CVEID: CVE-2015-5277
DESCRIPTION: GNU C Library (glibc) could allow a local attacker to gain elevated privileges on the system, caused by a heap corruption error in the nss_files backend for the Name Service Switch. An attacker could exploit this vulnerability to execute arbitrary code on the system with elevated privileges.
CVSS Base Score: 5.9
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/108484 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)