Protecting Against CVE-2015-7547

The Google Security Team and Red Hat have discovered a flaw in the way that certain types of DNS lookups are handled on some Linux servers. By exploiting this critical vulnerability, an attacker could gain full control over the system.

Liquid Web is proactively ensuring that all Managed servers are patched, and will be notifying customers directly of the relevant details. As long as we’re able to access the server, no further action should be required on your part. If you’re not certain whether we have your server’s current password on file, you may wish to update your server password in Manage, and you also may wish to check that automatic operating system package updates are enabled in cPanel/WHM.

Managed Liquid Web customers may, depending on notification preferences, receive a cPanel notice referring to “Altered RPMs” after the patch is applied. This notification indicates that operating system packages have been updated outside of cPanel, and in this case is no cause for alarm. While the subject of the message may sound ominous, it is not related to the vulnerability itself. Rather, the notice is a result of the fact that the server’s operating system packages were upgraded. For more information, you may refer to Altered RPMs. If you need further assistance, feel free to contact Heroic Support®.

Liquid Web customers with self-managed servers will want to follow the instructions in this article to determine whether their server is vulnerable and to upgrade their operating system packages.

Impact

The code that causes the vulnerability was introduced in a 2008 update to the GNU C Library (glibc). That package contains a library against which all GNU/Linux programs are linked, and the flaw affects the version of glibc included in a number of current Linux distributions:

• Red Hat Enterprise Linux 6 and 7
• CentOS 6 and 7
• Fedora 22 and 23
• Ubuntu 12.04 LTS, 14.04 LTS, and 15.10
• Debian 6 (squeeze), 7 (wheezy), and 8 (jessie)

Resolution

On affected servers, glibc needs to be updated and the server rebooted. Managed Liquid Web customers do not need to take any action: All managed servers will be updated and rebooted as outlined in the notification sent to customers. Only self-managed servers will need to be manually updated and rebooted.

Step #1: Check the Current glibc Version

1. On CentOS 6 and CentOS 7 servers, run:yum list glibcThat will produce output similar to:

   [root@host ~]# yum list glibc
Installed Packages
glibc.x86_64     2.17-106.el7_2.1     @system-updates-released
Available Packages
glibc.i686     2.17-106.el7_2.1     system-updates-released

   The currently installed version is listed under Installed Packages.

2. On Fedora 22 and Fedora 23 servers, run:dnf list glibcThat will produce output similar to:

   [root@host ~]# dnf list glibc
Installed Packages
glibc.x86_64     2.21-5.fc22     @System
Available Packages
glibc.i686     2.21-5.fc22     fedora

   The currently installed version is listed under Installed Packages.

3. On Debian (6, 7, and 8) and Ubuntu (12.04 LTS, 14.04 LTS, 15.10) servers, run:ldd --versionThat will produce output similar to:

   [root@host ~]# ldd --version
ldd (Ubuntu EGLIBC 2.21-0ubuntu4.1) 2.19
Copyright (C) 2012 Free Software Foundation, Inc.
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
Written by Roland McGrath and Ulrich Drepper.

   The currently installed version in this example is 2.21-0ubuntu4.1.

Step #2: Is the Installed Version Vulnerable?

If the version returned by the command you ran above matches (or exceeds) the version listed below for your operating system, then the vulnerability already has been patched:

• Patched versions:
• CentOS 6: glibc-2.12-1.166.el6_7.7
• CentOS 7: glibc-2.17-106.el7_2.4
• Fedora 22: glibc-2.21-11.fc22
• Fedora 23: glibc-2.22-9.fc23
• Debian 6 (squeeze): eglibc 2.11.3-4+deb6u11
• Debian 7 (wheezy): eglibc 2.13-38+deb7u10
• Debian 8 (jessie): glibc 2.19-18+deb8u3
• Ubuntu 15.10: libc6 2.21-0ubuntu4.1
• Ubuntu 14.04 LTS: libc6 2.19-0ubuntu6.7
• Ubuntu 12.04 LTS: libc6 2.15-0ubuntu10.13

If the version returned by the command you ran in Step 1 is lower than what’s listed above for your operating system — and you have a self-managed server — you will need to proceed to Step 3 to upgrade and reboot.

Step #3: Update glibc on a Self-Managed Server

The update only needs to be applied manually on self-managed servers. If you have a self-managed server, you can run these commands as root to update and reboot:

1. On Debian (6, 7, and 8) and Ubuntu (12.04 LTS, 14.04 LTS, 15.10) servers:
   apt-get update
apt-get dist-upgrade
reboot
2. On CentOS 6 and CentOS 7 servers:
   yum clean all
yum update glibc
reboot
3. On Fedora 22 and Fedora 23 servers:
   dnf clean all
dnf update
reboot