Summary

Security Advisory ID: BSA-2022-776

Component: GNU C Library

Revision: 2.0

In the GNU C Library (aka glibc or libc6) through 2.29, proceed_next_node in posix/regexec.c has a heap-based buffer over-read via an attempted case-insensitive regular-expression match.

Notes:

Brocade PSIRT has confirmed that the glibc interface is only exposed to internal trusted modules and is not accessible for exploitation. The only way to cause a heap-based buffer over-read, and exploit this vulnerability would be through crafted execution of external code that only a user with root privileges can introduce.

Affected Products

• Brocade GEN 6 SAN switches (Brocade X6-8, Brocade X6-4, G630, Brocade G620, Brocade G610, and the Brocade 7810) running Brocade Fabric OS versions before v8.2.3c
• Brocade GEN 6 SAN switches running Brocade Fabric OS before v8.2.0_cbn5 and after v8.2.0_cbn1

Product under investigation

• Brocade Active Support Connectivity Gateway (ASC-G)

Products Confirmed Not Vulnerable

• Brocade SAN switches (Brocade 300, Brocade 7800, Brocade 8510, Brocade 6520, Brocade 6510, and Brocade 6505) running any version of Brocade Fabric OS
• Brocade Fabric OS versions after v9.0.0 or higher.
• Brocade Fabric OS Version v7.4.2x releases.

No other Brocade Fibre Channel Products from Broadcom products are known to be affected by this vulnerability.

Solution

Security update provided in Brocade Fabric OS: v8.2.3c, v8.2.0_CBN5, and all later versions.

Revision History