GHOST / CVE-2015-0235 is a ‘buffer overflow’ vulnerability affecting the gethostbyname() function calls in the glibc library. An attacker could exploit this vulnerability to execute code on a remote host by supplying an invalid DNS response.
If your glibc library is equal or below version 2.17, you are probably vulnerable to CVE-2015-0235.
- RedHat - GHOST: glibc vulnerability (CVE-2015-0235)
- Ubuntu - CVE-2015-0235
- Debian Security Tracker - CVE-2015-0235
If your glibc library is equal or above version 2.18, you are not vulnerable to CVE-2015-0235.
PHP code relying on the native glibc gethostbyname() system call is vulnerable as mentioned by sucuri. We advise to review the code and ensure that the native glibc library and the PHP interpreter ispatched.
If your code relies on the java_net_Inet4AddressImpl class (in JDK 7), it calls natively gethostbyname() (if compiled with GLIBC option which is the case for any standard GNU/Linux distribution).
Java application which relies on the java.net.Inet4AddressImpl class with the associated methods relying on the gethostbyname() calls are vulnerable if the underlying operating system/glibc is not patched.
It’s also recommended to restart Java application after the glibc updates as the dynamic library might be cached by the JVM.
JK 8 (java_net_Inet4AddressImpl class), gethostbyname() was replaced by a patch in November 2011 by getaddrinfo() which is not vulnerable.
So Java (JDK7 or JDK8 before November 2011) applications, checking records from non-trusted DNS records, are vulnerable to the GHOST vulnerability if the glibc is not patched or using an older glibc < 2.18).
Classification of this document
TLP:WHITE information may be distributed without restriction, subject to copyright controls.
- Version 1.0 - TLP:WHITE - First version