University Information Security Office Bulletin
On Feb. 16, security engineers announced a vulnerability in the GNU C Library (glibc) DNS client side resolver that can be exploited to allow remote code execution. By exploiting the vulnerable getaddrinfo() function, malicious, oversized DNS response packets can trigger a stack-based buffer overflow. The vulnerability was concurrently discovered by Google and RedHat engineers.
Since numerous software programs use this vulnerability library function, the impact of this vulnerability is classified as critical. A proof of concept exploit has been released to help identify vulnerable systems.
The University Information Security Office has not observed active exploitation at IU at this point.
The UISO recommends patching affected systems as soon as possible.
In cases where immediate patching is not possible, there are multiple mitigation strategies outlined in the announcement that may protect vulnerable systems until patching can occur.