DOCUMENTATION: A flaw was found in glibc. In an uncommon situation, the gaih_inet function may use memory that has been freed, resulting in an application crash. This issue is only exploitable when the getaddrinfo function is called and the hosts database in /etc/nsswitch.conf is configured with SUCCESS=continue or SUCCESS=merge. STATEMENT: This issue is only exploitable when the condition detailed in the description is present in the system. However, all glibc versions shipped in Red Hat Enterprise Linux are vulnerable to this issue. MITIGATION: Removing the "SUCCESS=continue" or "SUCCESS=merge" configuration from the hosts database in /etc/nsswitch.conf will mitigate this vulnerability. Note that, these options are not supported by the hosts database, if they were working before it was because of this bug.
Ensure software updates are applied regularly.
MEDIUM
canonical; glibc; 2.35-0ubuntu3.4
CVE-2023-4806
DOCUMENTATION: A flaw was found in glibc. In an extremely rare situation, the getaddrinfo function may access memory that has been freed, resulting in an application crash. This issue is only exploitable when a NSS module implements only the nss_gethostbyname2_r and nss_getcanonname_r hooks without implementing the nss*_gethostbyname3_r hook. The resolved name should return a large number of IPv6 and IPv4, and the call to the getaddrinfo function should have the AF_INET6 address family with AI_CANONNAME, AI_ALL and AI_V4MAPPED as flags. STATEMENT: This issue is only exploitable with very specific conditions, as detailed in the description. However, all glibc versions shipped in Red Hat Enterprise Linux are vulnerable to this issue.
Ensure software updates are applied regularly.
MEDIUM
canonical; glibc; 2.35-0ubuntu3.4
CVE-2023-5156
DOCUMENTATION: A flaw was found in the GNU C Library. A recent fix for CVE-2023-4806 introduced the potential for a memory leak, which may result in an application crash.
Ensure software updates are applied regularly.
HIGH
canonical; glibc; 2.35-0ubuntu3.4
Release Notes
None
Activity
Show:
Fixed
Pinned fields
Click on the next to a field label to start pinning.
Finding
Description
Recommendation
Severity
Vendor; Product; Version
Reference
CVE-2023-4813
DOCUMENTATION: A flaw was found in glibc. In an uncommon situation, the gaih_inet function may use memory that has been freed, resulting in an application crash. This issue is only exploitable when the getaddrinfo function is called and the hosts database in /etc/nsswitch.conf is configured with SUCCESS=continue or SUCCESS=merge. STATEMENT: This issue is only exploitable when the condition detailed in the description is present in the system. However, all glibc versions shipped in Red Hat Enterprise Linux are vulnerable to this issue. MITIGATION: Removing the "SUCCESS=continue" or "SUCCESS=merge" configuration from the hosts database in /etc/nsswitch.conf will mitigate this vulnerability. Note that, these options are not supported by the hosts database, if they were working before it was because of this bug.
Ensure software updates are applied regularly.
MEDIUM
canonical; glibc; 2.35-0ubuntu3.4
CVE-2023-4806
DOCUMENTATION: A flaw was found in glibc. In an extremely rare situation, the getaddrinfo function may access memory that has been freed, resulting in an application crash. This issue is only exploitable when a NSS module implements only the nss_gethostbyname2_r and nss_getcanonname_r hooks without implementing the nss*_gethostbyname3_r hook. The resolved name should return a large number of IPv6 and IPv4, and the call to the getaddrinfo function should have the AF_INET6 address family with AI_CANONNAME, AI_ALL and AI_V4MAPPED as flags. STATEMENT: This issue is only exploitable with very specific conditions, as detailed in the description. However, all glibc versions shipped in Red Hat Enterprise Linux are vulnerable to this issue.
Ensure software updates are applied regularly.
MEDIUM
canonical; glibc; 2.35-0ubuntu3.4
CVE-2023-5156
DOCUMENTATION: A flaw was found in the GNU C Library. A recent fix for CVE-2023-4806 introduced the potential for a memory leak, which may result in an application crash.
Ensure software updates are applied regularly.
HIGH
canonical; glibc; 2.35-0ubuntu3.4