CVE Fixes

Vulnerabilities in Wget

  • GNU Wget is a common Unix utility to retrieve remote files. Wget contains two vulnerabilities, a stackover flow and a heap overflow, in the handling of HTTP chunked encoding. By convincing a user to download a specific link over HTTP, an attacker may be able to execute arbitrary code with the privileges of the user. Customers running the Control Panel servers, Static compute resources and Backup servers under CentOS 7.x need to update the wget package to at least version 1.14-15.el7_4.1 using the following command:

    # yum update wget

Kernel and glibc update to address fixes of CVE-2017-1000364 and CVE-2017-1000366.

CVE-2017-1000364

  • A flaw was found in the way memory was being allocated on the stack for user space binaries. If heap (or different memory region) and stack memory regions were adjacent to each other, an attacker could use this flaw to jump over the stack guard gap, cause controlled memory corruption on process stack or the adjacent memory region, and thus increase their privileges on the system. This is a kernel-side mitigation which increases the stack guard gap size from one page to 1 MiB to make successful exploitation of this issue more difficult.

CVE-2017-1000366

  • A flaw was found in the way memory was being allocated on the stack for user space binaries. If heap (or different memory region) and stack memory regions were adjacent to each other, an attacker could use this flaw to jump over the stack guard gap, cause controlled memory corruption on process stack or the adjacent memory region, and thus increase their privileges on the system. This is glibc-side mitigation which blocks processing of LD_LIBRARY_PATH for programs running in secure-execution mode and reduces the number of allocations performed by the processing of LD_AUDIT, LD_PRELOAD, and LD_HWCAP_MASK, making successful exploitation of this issue more difficult.

To check whether your server is affected by the issues above download the latest vulnerability detection script from the Diagnose tab at https://access.redhat.com/security/vulnerabilities/stackguard and run it on your server.

To apply the CVE fixes described above, please update the kernel and glibc packages for Control Panel, Static Compute Resources and Static Backup Servers and reboot the server to apply changes:

yum update "kernel*"
yum update "glibc"
#reboot

The packages should be updated to the following versions: 

  • running CentOS 6.xkernel-2.6.32-696.3.2.el6, glibc-2.12-1.209.el6_9.2
  • running CentOS 7.xkernel-3.10.0-514.21.2.el7, glibc-2.17-157.el7_3.4

Ruby 2.0.0 update to address fixes of CVE-2014-3566, CVE-2014-8080, CVE-2014-8090. Applicable to OnApp version 3.3.0 and higher

CVE-2014-3566

  • The SSL protocol 3.0, as used in OpenSSL through 1.0.1i and other products, uses nondeterministic CBC padding, which makes it easier for man-in-the-middle attackers to obtain cleartext data via a padding-oracle attack, aka the "POODLE" issue.

CVE-2014-8080

  • The REXML parser in Ruby 1.9.x before 1.9.3-p550, 2.0.x before 2.0.0-p594, and 2.1.x before 2.1.4 allows remote attackers to cause a denial of service (memory consumption) via a crafted XML document, aka an XML Entity Expansion (XEE) attack.

CVE-2014-8090

  • The REXML parser in Ruby 1.9.x before 1.9.3 patchlevel 551, 2.0.x before 2.0.0 patchlevel 598, and 2.1.x before 2.1.5 allows remote attackers to cause a denial of service (CPU and memory consumption) a crafted XML document containing an empty string in an entity that is used in a large number of nested entity references, aka an XML Entity Expansion (XEE) attack. NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-1821 and CVE-2014-8080.

Fixes of the following vulnerabilities for the YAML 1.1 parser and emitter C libraries. Applicable to OnApp version 3.0 and higher. 

CVE-2013-6393

  • The yaml_parser_scan_tag_uri function in scanner.c in LibYAML before 0.1.5 performs an incorrect cast, which allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via crafted tags in a YAML document, which triggers a heap-based buffer overflow.

CVE-2014-2525

  • Heap-based buffer overflow in the yaml_parser_scan_uri_escapes function in LibYAML before 0.1.6 allows context-dependent attackers to execute arbitrary code via a long sequence of percent-encoded characters in a URI in a YAML file


To apply the CVE fixes described above, please upgrade the Control Panel following the below instructions:

  • Enter the Control Panel box via ssh, and run from under root user to address YAML vulnerabilities:

    # yum update libyaml
  • Enter the Control Panel box via ssh, and run from under root user to address RUBY vulnerabilities:

    # yum update ruby rubygems
  • restart onapp and httpd services