Background
On Feb. 16, security engineers announced a vulnerability in the GNU C Library (glibc) DNS client side resolver that can be exploited to allow remote code execution. By exploiting the vulnerable getaddrinfo() function, malicious, oversized DNS response packets can trigger a stack-based buffer overflow. The vulnerability was concurrently discovered by Google and RedHat engineers.
Impact
Since numerous software programs use this vulnerability library function, the impact of this vulnerability is classified as critical. A proof of concept exploit has been released to help identify vulnerable systems.
Platforms affected
All systems running glibc 2.9 or later are affected. Any software that leverages the function listed above may be exploited. RedHat and Ubuntu have released patches to address affected systems.
Local observations
The University Information Security Office has not observed active exploitation at IU at this point.
UISO recommendations
The UISO recommends patching affected systems as soon as possible.
Workarounds
In cases where immediate patching is not possible, there are multiple mitigation strategies outlined in the announcement that may protect vulnerable systems until patching can occur.