000032579 - Stack-based buffer overflow vulnerability with glibc getaddrinfo (CVE-2015-7547) in RSA products

Document created by RSA Customer Support Employee on Jun 14, 2016
Version 1Show Document
  • View in full screen mode

Article Content

Article Number000032579
Applies ToAll RSA Products
IssueCVE-2015-7547: glibc getaddrinfo stack-based buffer overflow
On February 16, 2016, a vulnerability was publicly announced in the Linux glibc library. The vulnerability was independently discovered by researchers at Google and Red Hat. The glibc DNS client side resolver is potentially vulnerable to a stack-based buffer overflow when the getaddrinfo() library function is used. A remote attacker could create specially crafted DNS responses, which could cause the library to crash or potentially execute code with the permissions of the user running the library. 
This vulnerability has been assigned the Common Vulnerabilities and Exposures (CVE) ID CVE-2015-7547. The details for this vulnerability can be found using the link to Google blog post:
https://googleonlinesecurity.blogspot.com/2016/02/cve-2015-7547-glibc-getaddrinfo-stack.html
 
ResolutionRSA is aware of and investigating this issue to identify the product impact. The level of impact may vary depending on the affected product. The following table contains the latest available impact information. This table will be updated as additional information becomes available.
 
RSA Product NameVersionsImpacted?DetailsLast Updated
3D Secure / Adaptive Authentication eCommerceAll SupportedImpactedRemediation plan in progress (tentative target date to patch: Feb 28)2/22/2016
Access ManagerAll SupportedNot ImpactedSoftware does not ship with any glibc files. Follow OS vendor guidelines to patch underlying host.2/22/2016
Adaptive Authentication HostedAll SupportedImpactedRemediation plan in progress (tentative target date to patch: Feb 28)2/22/2016
Adaptive Authentication On-PremAll SupportedNot ImpactedAAoP is software only and does not ship with Linux OS. Follow OS vendor guidelines to patch underlying host.2/25/2016
Archer HostedN/ANot Impacted 2/22/2016
Archer PlatformAll SupportedNot Impacted 3/4/2016
Archer SecOpsAll SupportedNot Impacted 3/4/2016
Archer Vulnerability & Risk Manager (VRM)All SupportedNot Impacted 3/4/2016
Authentication Manager Software Platform7.1 SP4Not ImpactedSoftware application and does not ship with Linux OS.  Follow OS vendor guidelines to patch underlying host.2/18/2016
Authentication Manager Appliance8.1 SP1ImpactedA hotfix or patch is being planned, tentative target date early Q2. Workaround is to disable the use of DNS.2/18/2016
Authentication Manager Appliance3.0 SP4Not Impacted 2/19/2016
BSAFE C Products: SSL-C, Cert-C, Crypto-C, MES, CCMEAll SupportedNot ImpactedBSAFE products do not ship any specific glibc files. They are dependent on the libraries installed on the OS, follow OS vendor guidelines to patch.2/19/2016
BSAFE Java Products: SSL-J, Cert-J, Crypto-JAll SupportedNot ImpactedBSAFE products do not ship any specific glibc files. They are dependent on the libraries installed on the OS, follow OS vendor guidelines to patch.2/19/2016
Data Loss Prevention9.6Impacted - RemediatedThis issue is fixed in DLP 9.6 SP2 P5 (see ESA-2016-043). DLP Datacenter, DLP Endpoint, and DLP Enterprise Manager are NOT impacted.4/27/2016
Data Protection ManagerAll SupportedImpacted - RemediatedThis issue is fixed in DPM Appliance 3.5.2.4.3. For more details, see SCOL Advisory ESA-2016-014.2/22/2016
DCS: Certificate ManagerAll SupportedNot ImpactedRCM software does not ship with any glibc files. Follow OS vendor guidelines to patch underlying host if needed.2/18/2016
DCS: Validation ManagerAll SupportedNot ImpactedRVM software does not ship with any glibc files. Follow OS vendor guidelines to patch underlying host if needed.2/18/2016
ECATAll SupportedNot ImpactedECAT does not statically link to glibc hence not impacted.3/1/2016
eFraudNetwork (eFN)All SupportedImpacted - RemediatedThis issue has been fixed as of 2/24/2016 by applying a patch.3/28/2016
Federated Identity ManagerAll SupportedNot ImpactedSoftware does not ship with any glibc files. Follow OS vendor guidelines to patch underlying host.2/22/2016
FraudAction (OTMS)All SupportedImpactedRemediation plan in progress (tentative target date to patch: Feb 28)2/22/2016
RSA CentralAll SupportedNot Impacted 2/22/2016
RSA Live InfrastructureAll SupportedImpacted - Remediated 2/24/2016
RSA Via Lifecycle and Governance SaaS (RSA Via L&G SaaS)All SupportedImpacted - Remediated 3/7/2016
RSA Via Lifecycle and Governance On-Prem Platform,
   RSA Identity Management & Governance On-Prem Platform
All SupportedNot ImpactedSoftware application and does not ship with Linux OS. Follow OS vendor guidelines to patch underlying host.2/23/2016
RSA Via Lifecycle and Governance Appliance,
   RSA Identity Management & Governance Appliance
All SupportedImpacted - RemediatedRHEL deployment not impacted. SUSE deployment is fixed with Appliance Updater - Q1 2016 Release (see SCOL Advisory ESA-2016-022).3/9/2016
RSA Via L&G Data Access Governance (DAG),
   RSA IMG (Aveksa) Data Access Governance (DAG)
All SupportedNot ImpactedSoftware does not receive, perform or allow end users to craft DNS queries or responses in the way that would be subject to this vulnerability in any form.2/23/2016
SecurID Agent for PAMAll SupportedNot ImpactedIf installed on a Linux system, follow OS vendor guidelines to patch the underlying host2/19/2016
SecurID Agent for WebAll SupportedNot ImpactedIf installed on a Linux system, follow OS vendor guidelines to patch the underlying host2/19/2016
SecurID Agent for WindowsAll SupportedNot Impacted 2/18/2016
SecurID Authentication EngineAll SupportedNot ImpactedIf installed on a Linux system, follow OS vendor guidelines to patch the underlying host2/19/2016
SecurID Authentication SDKAll SupportedNot ImpactedIf building or executing an application built with an SDK on a Linux system, follow OS vendor guidelines to patch the underlying host2/19/2016
SecurID Software Token ConverterAll SupportedNot Impacted 2/18/2016
SecurID Software Token for AndroidAll SupportedNot Impacted 2/18/2016
SecurID Software Token for BlackberryAll SupportedNot Impacted 2/18/2016
SecurID Software Token for DesktopAll SupportedNot Impacted 2/18/2016
SecurID Software Token for iPhoneAll SupportedNot Impacted 2/18/2016
SecurID Software Token for Windows MobileAll SupportedNot Impacted 2/18/2016
SecurID Software Token ToolbarAll SupportedNot ImpactedIf installed on a Linux system, follow OS vendor guidelines to patch the underlying host2/19/2016
SecurID Software Token Web SDKAll SupportedNot ImpactedIf building or executing an application built with an SDK on a Linux system, follow OS vendor guidelines to patch the underlying host2/19/2016
SecurID Transaction Signing SDKAll SupportedNot ImpactedIf building or executing an application built with an SDK on a Linux system, follow OS vendor guidelines to patch the underlying host2/19/2016
Security Analytics
   (Physical and Virtual Appliances)
All SupportedImpacted - RemediatedThis issue is fixed in patches 10.4.1.6 (see SCOL Note and release notes) and 10.5.2 (see ESA-2016-023).6/2/2016
Security Analytics (Windows Legacy Collector)All SupportedNot Impacted 2/18/2016
Via Access IDR VMAll SupportedImpactedThis issue will be fixed in a patch (tentative target date March 5th)2/22/2016
Via Access Cloud ServiceAll SupportedImpactedThis issue will be fixed after applying a patch (tentative target date March 5th)2/22/2016
Web Threat Detection (SilverTail)All SupportedNot ImpactedWTD software does not ship any specific glibc files. Follow OS vendor guidelines to patch underlying host.2/23/2016
NotesDisclaimer
Read and use the information in this RSA Security Advisory to assist in avoiding any situation that might arise from the problems described herein. If you have any questions regarding this product alert, contact RSA Software Technical Support at 1- 800 995 5095. RSA Security LLC distributes RSA Security Advisories, in order to bring to the attention of users of the affected RSA products, important security information. RSA recommends that all users determine the applicability of this information to their individual situations and take appropriate action. The information set forth herein is provided 'as is' without warranty of any kind. RSA disclaims all warranties, either express or implied, including the warranties of merchantability, fitness for a particular purpose, title and non-infringement. In no event, shall RSA or its suppliers, be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if RSA or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages, so the foregoing limitation may not apply.

Attachments

    Outcomes