GHOST is a heap-based buffer overflow vulnerability found in the glibc's __nss_hostname_digits_dots() function, which is used by the gethostbyname() and gethostbyname2() glibc function calls.
Corporate Products:
GHOST is a critical vulnerability in glibc gethostbyname() and gethostbyname2() function calls which give attackers access locally or remotely to execute arbitrary code with the permissions of the user running the affected application. The vulnerability affects glibc version 2.2 and other 2.x versions before 2.18. The identifier CVE-2015-0235 has been assigned for this issue.
This advisory will be updated as more information becomes available.
Note: Products and platforms not listed in this advisory are NOT affected by GHOST.
The following products/platforms are affected and are already patched.
Product | Requires User Action? (Yes/No) | Remarks |
---|---|---|
F-SECURE MESSAGING SECURITY GATEWAY 7.0.2 - 7.5.0 | Yes | Verify that patch has been installed in the appliance. MSG 7.0.2 – Patch 2200 MSG 7.1.0 – Patch 2201 MSG 7.2.0 – Patch 2202 MSG 7.5.0 – Patch 2203 |
F-SECURE PROTECTION SERVICE FOR EMAIL 7.0.2 - 7.5.0 | Yes | Verify that patch has been installed in the appliance. PSE 7.0.2 – Patch 2200 PSE 7.1.0 – Patch 2201 PSE 7.2.0 – Patch 2202 PSE 7.5.0 – Patch 2203 |
F-SECURE INTERNET GATEKEEPER VIRTUAL APPLIANCE (IGK VA) 4.11 | Yes | Upgrade to F-Secure Internet Gatekeeper Virtual Appliance (IGK VA) 5.20. |
F-SECURE INTERNET GATEKEEPER VIRTUAL APPLIANCE (IGK VA) 5.20 | Yes |
|
F-SECURE SCANNING REPUTATION SERVER VIRTUAL APPLIANCE (SRS VA) 11.00 | Yes |
|
The following products/platforms are not affected, but require user action.
Product | Remarks |
---|---|
F-SECURE LINUX SECURITY | F-Secure Linux Security depends on the Operating System provided by glibc. Countermeasure: Update glibc when made available by the Operating System update channel. |
F-SECURE INTERNET GATEKEEPER | F-Secure Internet Gatekeeper depends on the Operating System provided by glibc. Countermeasure: Update glibc when made available by the Operating System update channel. |
Date | Changes |
---|---|
9 February 2015 |
|
5 February 2015 | First advisory published. |
Date Issued: 2015-02-05
Date Updated: 2015-02-09