(cache) NVD - Detail

National Cyber Awareness System

Vulnerability Summary for CVE-2015-7547

Original release date: 02/18/2016

Last revised: 02/19/2016

Source: US-CERT/NIST

Overview

Multiple stack-based buffer overflows in the (1) send_dg and (2) send_vc functions in the libresolv library in the GNU C Library (aka glibc or libc6) before 2.23 allow remote attackers to cause a denial of service (crash) or possibly execute arbitrary code via a crafted DNS response that triggers a call to the getaddrinfo function with the AF_UNSPEC or AF_INET6 address family, related to performing "dual A/AAAA DNS queries" and the libnss_dns.so.2 NSS module.

Impact

CVSS Severity (version 3.0):

CVSS v3 Base Score: 8.1 High

Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Impact Score: 5.9

Exploitability Score: 2.2

CVSS Version 3 Metrics:

Attack Vector (AV): Network

Attack Complexity (AC): High

Privileges Required (PR): None

User Interaction (UI): None

Scope (S): Unchanged

Confidentiality (C): High

Integrity (I): High

Availability (A): High

CVSS Severity (version 2.0):

CVSS v2 Base Score: 6.8 MEDIUM

Vector: (AV:N/AC:M/Au:N/C:P/I:P/A:P) (legend)

Impact Subscore: 6.4

Exploitability Subscore: 8.6

CVSS Version 2 Metrics:

Access Vector: Network exploitable

Access Complexity: Medium

Authentication: Not required to exploit

Impact Type: Allows unauthorized disclosure of information; Allows unauthorized modification; Allows disruption of service

References to Advisories, Solutions, and Tools

By selecting these links, you will be leaving NIST webspace. We have provided these links to other web sites because they may have information that would be of interest to you. No inferences should be drawn on account of other sites being referenced, or not, from this page. There may be other web sites that are more appropriate for your purpose. NIST does not necessarily endorse the views expressed, or concur with the facts presented on these sites. Further, NIST does not endorse any commercial products that may be mentioned on these sites. Please address comments about this page to nvd@nist.gov.

External Source: CONFIRM

Name: https://support.f5.com/kb/en-us/solutions/public/k/47/sol47098834.html

Hyperlink: https://support.f5.com/kb/en-us/solutions/public/k/47/sol47098834.html

External Source: MISC

Name: https://googleonlinesecurity.blogspot.com/2016/02/cve-2015-7547-glibc-getaddrinfo-stack.html

Type: Advisory

Hyperlink: https://googleonlinesecurity.blogspot.com/2016/02/cve-2015-7547-glibc-getaddrinfo-stack.html

External Source: CONFIRM

Name: https://bugzilla.redhat.com/show_bug.cgi?id=1293532

Hyperlink: https://bugzilla.redhat.com/show_bug.cgi?id=1293532

External Source: UBUNTU

Name: USN-2900-1

Hyperlink: http://ubuntu.com/usn/usn-2900-1

External Source: CONFIRM

Name: https://sourceware.org/bugzilla/show_bug.cgi?id=18665

Hyperlink: https://sourceware.org/bugzilla/show_bug.cgi?id=18665

External Source: MLIST

Name: [libc-alpha] 20160216 [PATCH] CVE-2015-7547 --- glibc getaddrinfo() stack-based buffer overflow

Type: Advisory; Patch Information

Hyperlink: https://sourceware.org/ml/libc-alpha/2016-02/msg00416.html

External Source: CONFIRM

Name: https://access.redhat.com/articles/2161461

Type: Advisory

Hyperlink: https://access.redhat.com/articles/2161461

Vulnerable software and versions

* Denotes Vulnerable Software
Changes related to vulnerability configurations

Technical Details

Vulnerability Type (View All)

Buffer Errors (CWE-119)

CVE Standard Vulnerability Entry http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7547

Change History 1 change record found - show changes

Quality Assurance - 2/19/2016 11:08:12 AM
Action	Type	Old Value	New Value
Changed	Reference Type	https://googleonlinesecurity.blogspot.com/2016/02/cve-2015-7547-glibc-getaddrinfo-stack.html No Types Assigned	https://googleonlinesecurity.blogspot.com/2016/02/cve-2015-7547-glibc-getaddrinfo-stack.html Advisory
Added	CWE		CWE-119
Added	CPE Configuration		Record truncated, showing 500 of 1086 characters. View Entire Change Record Configuration 1 OR cpe:2.3:a:gnu:glibc:2.22::::::: cpe:2.3:a:gnu:glibc:2.21::::::: cpe:2.3:a:gnu:glibc:2.20::::::: cpe:2.3:a:gnu:glibc:2.19::::::: cpe:2.3:a:gnu:glibc:2.18::::::: cpe:2.3:a:gnu:glibc:2.17::::::: cpe:2.3:a:gnu:glibc:2.16::::::: cpe:2.3:a:gnu:glibc:2.15::::::: cpe:2.3:a:gnu:glibc:2.14.1::::::: *cpe:2.3:a:gnu
Added	Score		VERSION2-(AV:N/AC:M/Au:N/C:P/I:P/A:P)
Added	Score		VERSION3-AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Changed	Reference Type	https://access.redhat.com/articles/2161461 No Types Assigned	https://access.redhat.com/articles/2161461 Advisory
Changed	Reference Type	https://sourceware.org/ml/libc-alpha/2016-02/msg00416.html No Types Assigned	https://sourceware.org/ml/libc-alpha/2016-02/msg00416.html Advisory, Patch

View Entire Change Record

You are viewing this page in an unauthorized frame window.

National Cyber Awareness System

Vulnerability Summary for CVE-2015-7547

Overview

Impact

CVSS Severity (version 3.0):

CVSS Version 3 Metrics:

CVSS Severity (version 2.0):

CVSS Version 2 Metrics:

References to Advisories, Solutions, and Tools

Vulnerable software and versions

Technical Details

Change History 1 change record found - show changes