Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

fstec логотип

BDU:2024-00852

Опубликовано: 18 сент. 2023
Источник: fstec
CVSS3: 5.9
CVSS2: 5.4
EPSS Низкий

Описание

Уязвимость функции getaddrinfo библиотеки GNU C (glibc) связана с использованием памяти после её освобождения. Эксплуатация уязвимости может позволить нарушителю, действующему удаленно, вызвать отказ в обслуживании

Вендор

Red Hat Inc.
Canonical Ltd.
Сообщество свободного программного обеспечения
NetApp Inc.
Novell Inc.
Fedora Project
АО «НТЦ ИТ РОСА»
The GNU Project
Project Harbor

Наименование ПО

Red Hat Enterprise Linux
Ubuntu
Debian GNU/Linux
ONTAP Select Deploy
openSUSE Tumbleweed
Red Hat Virtualization
Active IQ Unified Manager for VMware vSphere
NetApp HCI Baseboard Management Controller H410C
NetApp HCI Baseboard Management Controller H300S
NetApp HCI Baseboard Management Controller H500S
NetApp HCI Baseboard Management Controller H700S
NetApp HCI Baseboard Management Controller H410S
Fedora
AFF Baseboard Management Controller A700s
FAS/AFF Baseboard Management Controller A320
FAS/AFF Baseboard Management Controller C190
FAS/AFF Baseboard Management Controller A220
FAS/AFF Baseboard Management Controller FAS2720
FAS/AFF Baseboard Management Controller FAS2750
FAS/AFF Baseboard Management Controller A800
РОСА ХРОМ
NetApp SolidFire & HCI Storage Node
NetApp SolidFire & HCI Management Node
ATTO FibreBridge 7500N
ATTO FibreBridge 7600N
Brocade Fabric Operating System Firmware
Cloud Volumes ONTAP Mediator
FAS/AFF Baseboard Management Controller A250
FAS/AFF Baseboard Management Controller 500f
FAS/AFF Baseboard Management Controller C250
FAS/AFF Baseboard Management Controller C800
FAS/AFF Baseboard Management Controller A150
NetApp HCI Baseboard Management Controller H610C
NetApp HCI Baseboard Management Controller H610S
NetApp HCI Baseboard Management Controller H615C
NetApp HCI Compute Node BIOS
SUSE Liberty Linux
glibc
FAS/AFF Baseboard Management Controller A900
FAS/AFF Baseboard Management Controller 9500
FAS/AFF Baseboard Management Controller FAS2820
FAS/AFF Service Processor A300
FAS/AFF Service Processor 8200
FAS/AFF Service Processor 2650
FAS/AFF Service Processor 2620
FAS/AFF Service Processor A700
FAS/AFF Service Processor 9000
NetApp NFS Plug-in for VMware VAAI
ONTAP Tools for VMware vSphere
SnapCenter Plug-in for VMware vSphere/BlueXP backup and Recovery for Virtual Machine
harbor

Версия ПО

6 (Red Hat Enterprise Linux)
7 (Red Hat Enterprise Linux)
16.04 LTS (Ubuntu)
8 (Red Hat Enterprise Linux)
10 (Debian GNU/Linux)
- (ONTAP Select Deploy)
- (openSUSE Tumbleweed)
20.04 LTS (Ubuntu)
4 for RHEL 8 (Red Hat Virtualization)
11 (Debian GNU/Linux)
12 (Debian GNU/Linux)
- (Active IQ Unified Manager for VMware vSphere)
22.04 LTS (Ubuntu)
9 (Red Hat Enterprise Linux)
- (NetApp HCI Baseboard Management Controller H410C)
- (NetApp HCI Baseboard Management Controller H300S)
- (NetApp HCI Baseboard Management Controller H500S)
- (NetApp HCI Baseboard Management Controller H700S)
- (NetApp HCI Baseboard Management Controller H410S)
37 (Fedora)
- (AFF Baseboard Management Controller A700s)
- (FAS/AFF Baseboard Management Controller A320)
- (FAS/AFF Baseboard Management Controller C190)
- (FAS/AFF Baseboard Management Controller A220)
- (FAS/AFF Baseboard Management Controller FAS2720)
- (FAS/AFF Baseboard Management Controller FAS2750)
- (FAS/AFF Baseboard Management Controller A800)
8.6 Extended Update Support (Red Hat Enterprise Linux)
38 (Fedora)
39 (Fedora)
18.04 ESM (Ubuntu)
23.04 (Ubuntu)
12.4 (РОСА ХРОМ)
- (NetApp SolidFire & HCI Storage Node)
- (NetApp SolidFire & HCI Management Node)
- (ATTO FibreBridge 7500N)
- (ATTO FibreBridge 7600N)
- (Brocade Fabric Operating System Firmware)
- (Cloud Volumes ONTAP Mediator)
- (FAS/AFF Baseboard Management Controller A250)
- (FAS/AFF Baseboard Management Controller 500f)
- (FAS/AFF Baseboard Management Controller C250)
- (FAS/AFF Baseboard Management Controller C800)
- (FAS/AFF Baseboard Management Controller A150)
- (NetApp HCI Baseboard Management Controller H610C)
- (NetApp HCI Baseboard Management Controller H610S)
- (NetApp HCI Baseboard Management Controller H615C)
- (NetApp HCI Compute Node BIOS)
9 (SUSE Liberty Linux)
2.33 (glibc)
- (FAS/AFF Baseboard Management Controller A900)
- (FAS/AFF Baseboard Management Controller 9500)
- (FAS/AFF Baseboard Management Controller FAS2820)
- (FAS/AFF Service Processor A300)
- (FAS/AFF Service Processor 8200)
- (FAS/AFF Service Processor 2650)
- (FAS/AFF Service Processor 2620)
- (FAS/AFF Service Processor A700)
- (FAS/AFF Service Processor 9000)
- (NetApp NFS Plug-in for VMware VAAI)
9 (ONTAP Tools for VMware vSphere)
- (SnapCenter Plug-in for VMware vSphere/BlueXP backup and Recovery for Virtual Machine)
8 (SUSE Liberty Linux)
2.7.0 (harbor)

Тип ПО

Операционная система
Прикладное ПО информационных систем
ПО виртуализации/ПО виртуального программно-аппаратного средства
ПО программно-аппаратного средства АСУ ТП
Микропрограммный код

Операционные системы и аппаратные платформы

Red Hat Inc. Red Hat Enterprise Linux 6
Red Hat Inc. Red Hat Enterprise Linux 7
Canonical Ltd. Ubuntu 16.04 LTS
Red Hat Inc. Red Hat Enterprise Linux 8
Сообщество свободного программного обеспечения Debian GNU/Linux 10
Novell Inc. openSUSE Tumbleweed -
Canonical Ltd. Ubuntu 20.04 LTS
Сообщество свободного программного обеспечения Debian GNU/Linux 11
Сообщество свободного программного обеспечения Debian GNU/Linux 12
Canonical Ltd. Ubuntu 22.04 LTS
Red Hat Inc. Red Hat Enterprise Linux 9
Fedora Project Fedora 37
Red Hat Inc. Red Hat Enterprise Linux 8.6 Extended Update Support
Fedora Project Fedora 38
Fedora Project Fedora 39
Canonical Ltd. Ubuntu 18.04 ESM
Canonical Ltd. Ubuntu 23.04
АО «НТЦ ИТ РОСА» РОСА ХРОМ 12.4
Novell Inc. SUSE Liberty Linux 9
Novell Inc. SUSE Liberty Linux 8

Уровень опасности уязвимости

Средний уровень опасности (базовая оценка CVSS 2.0 составляет 5,4)
Средний уровень опасности (базовая оценка CVSS 3.0 составляет 5,9)

Возможные меры по устранению уязвимости

Использование рекомендаций:
Для библиотеки GNU C:
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=973fe93a5675c42798b2161c6f29c01b0e243994
Для Fedora:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4DBUQRRPB47TC3NJOUIBVWUGFHBJAFDL/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DFG4P76UHHZEWQ26FWBXG76N2QLKKPZA/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NDAQWHTSVOCOZ5K6KPIWKRT3JX4RTZUR/
Для программных продуктов NetApp Inc.:
https://security.netapp.com/advisory/ntap-20240125-0008/
Для Debian GNU/Linux:
https://security-tracker.debian.org/tracker/CVE-2023-4806
Для программных продуктов Red Hat Inc.:
https://access.redhat.com/security/cve/CVE-2023-4806
Для программных продуктов Novell Inc.:
https://www.suse.com/security/cve/CVE-2023-4806.html
Для Ubuntu:
https://ubuntu.com/security/notices/USN-6541-2
https://ubuntu.com/security/notices/USN-6541-1
Компенсирующие меры для Harbor :
- отключение/удаление неиспользуемых учетных записей пользователей;
- минимизация пользовательских привилегий;
- использование антивирусных средств защиты;
- контроль действий пользователей.
Для операционной системы РОСА ХРОМ: https://abf.rosa.ru/advisories/ROSA-SA-2025-2637

Статус уязвимости

Подтверждена производителем

Наличие эксплойта

Данные уточняются

Информация об устранении

Уязвимость устранена

Ссылки на источники

Идентификаторы других систем описаний уязвимостей

EPSS

Процентиль: 75%
0.00926
Низкий

5.9 Medium

CVSS3

5.4 Medium

CVSS2

Связанные уязвимости

ubuntu логотип

CVE-2023-4806

CVSS3: 5.9
ubuntu
почти 2 года назад

A flaw was found in glibc. In an extremely rare situation, the getaddrinfo function may access memory that has been freed, resulting in an application crash. This issue is only exploitable when a NSS module implements only the _nss_*_gethostbyname2_r and _nss_*_getcanonname_r hooks without implementing the _nss_*_gethostbyname3_r hook. The resolved name should return a large number of IPv6 and IPv4, and the call to the getaddrinfo function should have the AF_INET6 address family with AI_CANONNAME, AI_ALL and AI_V4MAPPED as flags.

redhat логотип

CVE-2023-4806

CVSS3: 5.9
redhat
почти 2 года назад

A flaw was found in glibc. In an extremely rare situation, the getaddrinfo function may access memory that has been freed, resulting in an application crash. This issue is only exploitable when a NSS module implements only the _nss_*_gethostbyname2_r and _nss_*_getcanonname_r hooks without implementing the _nss_*_gethostbyname3_r hook. The resolved name should return a large number of IPv6 and IPv4, and the call to the getaddrinfo function should have the AF_INET6 address family with AI_CANONNAME, AI_ALL and AI_V4MAPPED as flags.

nvd логотип

CVE-2023-4806

CVSS3: 5.9
nvd
почти 2 года назад

A flaw was found in glibc. In an extremely rare situation, the getaddrinfo function may access memory that has been freed, resulting in an application crash. This issue is only exploitable when a NSS module implements only the _nss_*_gethostbyname2_r and _nss_*_getcanonname_r hooks without implementing the _nss_*_gethostbyname3_r hook. The resolved name should return a large number of IPv6 and IPv4, and the call to the getaddrinfo function should have the AF_INET6 address family with AI_CANONNAME, AI_ALL and AI_V4MAPPED as flags.

debian логотип

CVE-2023-4806

CVSS3: 5.9
debian
почти 2 года назад

A flaw was found in glibc. In an extremely rare situation, the getaddr ...

github логотип

GHSA-5f52-v49r-796w

CVSS3: 5.9
github
почти 2 года назад

A flaw was found in glibc. In an extremely rare situation, the getaddrinfo function may access memory that has been freed, resulting in an application crash. This issue is only exploitable when a NSS module implements only the _nss_*_gethostbyname2_r and _nss_*_getcanonname_r hooks without implementing the _nss_*_gethostbyname3_r hook. The resolved name should return a large number of IPv6 and IPv4, and the call to the getaddrinfo function should have the AF_INET6 address family with AI_CANONNAME, AI_ALL and AI_V4MAPPED as flags.

EPSS

Процентиль: 75%
0.00926
Низкий

5.9 Medium

CVSS3

5.4 Medium

CVSS2