USN-6804-1: GNU C Library vulnerabilities

Operations Manager

2 more products

24746

22 August 2024

22 August 2024

CLOSED

MEDIUM

CVE-2024-33599;CVE-2024-33600;CVE-2024-33601;CVE-2024-33602

Severity

medium

Vendor

VMware Tanzu

Versions Affected

  • Cflinuxfs3
  • Canonical Ubuntu 18.04
  •  

Description

It was discovered that GNU C Library nscd daemon contained a stack-based buffer overflow. A local attacker could use this to cause a denial of service (system crash). (CVE-2024-33599) It was discovered that GNU C Library nscd daemon did not properly check the cache content, leading to a null pointer dereference vulnerability. A local attacker could use this to cause a denial of service (system crash). (CVE-2024-33600) It was discovered that GNU C Library nscd daemon did not properly validate memory allocation in certain situations, leading to a null pointer dereference vulnerability. A local attacker could use this to cause a denial of service (system crash). (CVE-2024-33601) It was discovered that GNU C Library nscd daemon did not properly handle memory allocation, which could lead to memory corruption. A local attacker could use this to cause a denial of service (system crash). (CVE-2024-33602) Update Instructions: Run `sudo pro fix USN-6804-1` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: glibc-doc - 2.23-0ubuntu11.3+esm7 glibc-source - 2.23-0ubuntu11.3+esm7 libc-bin - 2.23-0ubuntu11.3+esm7 libc-dev-bin - 2.23-0ubuntu11.3+esm7 libc6 - 2.23-0ubuntu11.3+esm7 libc6-amd64 - 2.23-0ubuntu11.3+esm7 libc6-armel - 2.23-0ubuntu11.3+esm7 libc6-dev - 2.23-0ubuntu11.3+esm7 libc6-dev-amd64 - 2.23-0ubuntu11.3+esm7 libc6-dev-armel - 2.23-0ubuntu11.3+esm7 libc6-dev-i386 - 2.23-0ubuntu11.3+esm7 libc6-dev-s390 - 2.23-0ubuntu11.3+esm7 libc6-dev-x32 - 2.23-0ubuntu11.3+esm7 libc6-i386 - 2.23-0ubuntu11.3+esm7 libc6-pic - 2.23-0ubuntu11.3+esm7 libc6-s390 - 2.23-0ubuntu11.3+esm7 libc6-x32 - 2.23-0ubuntu11.3+esm7 locales - 2.23-0ubuntu11.3+esm7 locales-all - 2.23-0ubuntu11.3+esm7 multiarch-support - 2.23-0ubuntu11.3+esm7 nscd - 2.23-0ubuntu11.3+esm7 Available with Ubuntu Pro (Infra-only): https://ubuntu.com/pro.

Fixed VMware Products and Versions

  • Platform Automation Toolkit
    • 4.4.32 or greater
    • 5.0.25 or greater
    • 5.1.2 or greater
  • Tanzu Greenplum for Kubernetes
    • 2.0.0 or greater
  • CF Deployment
    • 30.0.0 or greater
  • Xenial Stemcells
    • 621.969 or greater
  • Operation Manager
    • 2.10.75 or greater
  • Operations Manager Image
    • 2.10.75 or greater

References

https://ubuntu.com/security/notices/USN-6804-1

https://www.cloudfoundry.org/blog/usn-6804-1

https://cve.mitre.org/cgi-bin/cvename.cgi?name=usn-6804-1

https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/24746

History

2024-05-31: Initial vulnerability report published.