Problem: A buffer overflow vulnerability in the GNU C library (glibc) has been publicly disclosed by Qualys.
- System x CCA and Toolkit users running CCA release 4.1, 4.2, 4.3, 4.4.16, or 4.4.20.
- System p AIX CCA and Toolkit users running CCA 4.3.8 or 4.4.20.
Note: The base PCIe Cryptographic Coprocessor (CCA) is not susceptible to the two known security issues described below. Only Toolkit customers may be susceptible. However, as a consumer of the GNU C Library (glibc), IBM is making a patch available for System x 4765 and System p PCIe Cryptographic Coprocessor users. Toolkit customers should download and install the fix and contact their Toolkit provider if there are any questions.
As of April 2015, a patch is available for System x 4765 and System p PCIe Cryptographic Coprocessor users who have used a Toolkit to develop a firmware application that uses (1) the network port, or (2) the gethostbyname() or gethostbyname2() glibc functions. If you are one of these users, you may be exposed to the following reported security vulnerability:
GHOST: glibc gethostbyname buffer overflow vulnerability (CVE-2015-0235)
Description: A heap-based buffer overflow exists in the GNU C library, commonly known as glibc. The affected library component is the ss_hostname_digits_dots() function used by both gethostbyname() and gethostbyname2() glibc functions. Programs calling these functions may be vulnerable to a buffer overflow, exploitable by local, as well as remote users, to execute arbitrary code on affected systems. In-depth technical information on the vulnerability has been publicly released and includes exploit, mitigation, and patch information. While not yet publicly available, a proof-of-concept remote exploit has been developed using this vulnerability that Qualys plans on publishing.
The GNU C library is most commonly used in systems using the Linux kernel.
CVE-2015-0235 has a Base CVSS score of 6.8 (medium)
CCA and Toolkit users: The GNU C library is shipped with the 4765 base support. The base card is not susceptible to these issues because the card is not shipped with the network port enabled, and there is no auto-config script to set up a network or ethernet device. Also, the card does not use the gethostbyname() nor gethostbyname2() glibc functions. IBM is providing the fix because the 4765 coprocessor is a consumer of the GNU C library. Applying this security patch is left to your discretion. To install the patch, see the instructions below. CCA customers should contact email@example.com with questions.
Toolkit users only: If your firmware application for the IBM 4765 uses the affected GNU C library functions or enables the network port, apply the security patch which corrects the vulnerability. Contact your Toolkit provider with questions.
To install the patch:
System x users:
- System x users of CCA Release 4.1 must move up to CCA Release 4.2 or later before applying the patch.
- Download the file (TAR, 31.1 MB) which contains a README.txt file and CLU files that contain the the patch.
- Untar the downloaded file.
- Follow the directions provided in the README.txt file to install the patch.
System p AIX users:
- Download the file (Z, 4.8 MB) that contains an interim fix.
- Install the interim fix using this command:
emgr -X -e 4765FW4428.150326.epkg.Z
- Follow the directions provided in the README file:
Installing the ghost vulnerability security patch corrects the security vulnerability described above.