glibc Ghost vulnerability

Discuss your pilot or production implementation with other Zimbra admins or our engineers.
User avatar
cayaraa
Outstanding Member
Outstanding Member
Posts: 333
Joined: Sat Sep 13, 2014 12:33 am
ZCS/ZD Version: ZCS 8.7 NE & ZCS 8.7 FOSS

glibc Ghost vulnerability

Postby cayaraa » Wed Jan 28, 2015 9:35 am


Is it know if zimbra has any binary files that have statically linked glibc or will updating the host catch all the links to the system glibc?



I've checked nginx and postfix and both of them seems to be using system:


$ ldd /opt/zimbra/nginx/sbin/nginx |grep "libc."
libc.so.6 => /lib64/libc.so.6 (0x00007f12deda2000)


$ ldd /opt/zimbra/postfix/sbin/postfix |grep "libc."
libc.so.6 => /lib64/libc.so.6 (0x00007fc3f9e0e000)



https://isc.sans.edu/forums/diary/New+Critical+GLibc+Vulnerability+CVE20150235+aka+GHOST/19237/



User avatar
cayaraa
Outstanding Member
Outstanding Member
Posts: 333
Joined: Sat Sep 13, 2014 12:33 am
ZCS/ZD Version: ZCS 8.7 NE & ZCS 8.7 FOSS

glibc Ghost vulnerability

Postby cayaraa » Wed Jan 28, 2015 9:56 am

Sounds like it might not be as commonly exploitable as the first stuff I was reading lead me to believe:



"Here is a list of potential targets that we investigated (they all call

gethostbyname, one way or another), but to the best of our knowledge,

the buffer overflow cannot be triggered in any of them:



apache, cups, dovecot, gnupg, isc-dhcp, lighttpd, mariadb/mysql,

nfs-utils, nginx, nodejs, openldap, openssh, postfix, proftpd,

pure-ftpd, rsyslog, samba, sendmail, sysklogd, syslog-ng, tcp_wrappers,

vsftpd, xinetd."



http://www.openwall.com/lists/oss-security/2015/01/27/18
User avatar
jorgedlcruz
Zimbra Alumni
Zimbra Alumni
Posts: 2782
Joined: Thu May 22, 2014 4:47 pm

glibc Ghost vulnerability

Postby jorgedlcruz » Wed Jan 28, 2015 11:59 am

Hi cayaraa,
Is a critical issue and we need to update the OS to be sure that you are not vulnerable for other applications.

Best regards

Jorge de la Cruz https://jorgedelacruz.es
Systems Engineer at Veeam Software https://www.veeam.com/
mhlevy
Advanced member
Advanced member
Posts: 59
Joined: Sat Sep 13, 2014 2:09 am
Location: Overland Park, KS USA
ZCS/ZD Version: Release 8.6.0.GA.1153.UBUNTU12.64 U

glibc Ghost vulnerability

Postby mhlevy » Wed Jan 28, 2015 12:10 pm

Thank you for the information, but I do have a question regarding the update. Ubuntu recommends using the following commands:



sudo apt-get clean

sudo apt-get update

sudo apt-get dist-upgrade



Will this be safe to run on Ubuntu linux servers, as far as not "disturbing" the Zimbra installation?



Thank you for your time!



Mark
________________________
Network Administrator
Overland Park, KS, USA
Release 8.6.0.GA.1153.UBUNTU12.64 UBUNTU12_64 NETWORK edition, Patch 8.6.0_P6.
User avatar
jorgedlcruz
Zimbra Alumni
Zimbra Alumni
Posts: 2782
Joined: Thu May 22, 2014 4:47 pm

glibc Ghost vulnerability

Postby jorgedlcruz » Wed Jan 28, 2015 12:16 pm

Hi mhlevy,

If you run a dist-upgrade you will upgrade all the Ubuntu to the next version. You need to run the next steps:

sudo apt-get clean

sudo apt-get update

sudo apt-get upgrade



Remember to do some backup or snapshot before.



Best regards
Jorge de la Cruz https://jorgedelacruz.es
Systems Engineer at Veeam Software https://www.veeam.com/
mhlevy
Advanced member
Advanced member
Posts: 59
Joined: Sat Sep 13, 2014 2:09 am
Location: Overland Park, KS USA
ZCS/ZD Version: Release 8.6.0.GA.1153.UBUNTU12.64 U

glibc Ghost vulnerability

Postby mhlevy » Wed Jan 28, 2015 12:34 pm

Thanks very much. That could have been a disaster, and thankfully, we are running the Ubuntu servers on Vmware, so snapshots will be taken before.
________________________
Network Administrator
Overland Park, KS, USA
Release 8.6.0.GA.1153.UBUNTU12.64 UBUNTU12_64 NETWORK edition, Patch 8.6.0_P6.
Paladinemishakal
Posts: 48
Joined: Sat Sep 13, 2014 2:37 am

glibc Ghost vulnerability

Postby Paladinemishakal » Thu Jan 29, 2015 5:55 am

Hi All,



Can we do an "apt-get install --only-upgrade libc-bin libc-dev-bin libc6 libc6-dev" or "apt-get upgrade" then the "apt-get dist-upgrade"?



Regards.
User avatar
jorgedlcruz
Zimbra Alumni
Zimbra Alumni
Posts: 2782
Joined: Thu May 22, 2014 4:47 pm

glibc Ghost vulnerability

Postby jorgedlcruz » Thu Jan 29, 2015 6:00 am

Hi Paladinemishakal,

With an apt-get update and apt-get upgrade you need to be in the proper version of libc packages, don't do a dist-upgrade, you will upgrade your entire Ubuntu to the next version, 10 to 12, 12 to 14.



Best regards
Jorge de la Cruz https://jorgedelacruz.es
Systems Engineer at Veeam Software https://www.veeam.com/
User avatar
dbayer
Advanced member
Advanced member
Posts: 52
Joined: Thu Oct 09, 2014 9:10 am
Location: Maine
ZCS/ZD Version: Zimbra 8.8.15
Contact:

glibc Ghost vulnerability

Postby dbayer » Thu Jan 29, 2015 7:53 am

Just to be perfectly clear. We should run ONLY

sudo apt-get clean
sudo apt-get update
sudo apt-get upgrade

and nothing else, correct?


In addition it appears that 14.04 and beyond are NOT effected by this vulneribility


http://www.ubuntu.com/usn/usn-2485-1/

Thanks,
Daniel

User avatar
jorgedlcruz
Zimbra Alumni
Zimbra Alumni
Posts: 2782
Joined: Thu May 22, 2014 4:47 pm

glibc Ghost vulnerability

Postby jorgedlcruz » Thu Jan 29, 2015 7:55 am

Yes,

Try with this commands, and check if your affected packages are fixed after launch these commands, should work.



Best regards
Jorge de la Cruz https://jorgedelacruz.es
Systems Engineer at Veeam Software https://www.veeam.com/

Return to “Administrators”

Who is online

Users browsing this forum: No registered users and 16 guests