SUSE update for glibc
| Risk | Medium |
| Patch available | YES |
| Number of vulnerabilities | 2 |
| CVE-ID | CVE-2016-10228 CVE-2021-35942 |
| CWE-ID | CWE-20 CWE-190 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software |
SUSE Linux Enterprise Software Development Kit Operating systems & Components / Operating system SUSE Linux Enterprise Server Operating systems & Components / Operating system glibc-i18ndata Operating systems & Components / Operating system package or component glibc-html Operating systems & Components / Operating system package or component glibc-profile-32bit Operating systems & Components / Operating system package or component glibc-locale-debuginfo-32bit Operating systems & Components / Operating system package or component glibc-locale-32bit Operating systems & Components / Operating system package or component glibc-devel-debuginfo-32bit Operating systems & Components / Operating system package or component glibc-devel-32bit Operating systems & Components / Operating system package or component glibc-debuginfo-32bit Operating systems & Components / Operating system package or component glibc-32bit Operating systems & Components / Operating system package or component nscd-debuginfo Operating systems & Components / Operating system package or component nscd Operating systems & Components / Operating system package or component glibc-profile Operating systems & Components / Operating system package or component glibc-locale-debuginfo Operating systems & Components / Operating system package or component glibc-locale Operating systems & Components / Operating system package or component glibc-devel-debuginfo Operating systems & Components / Operating system package or component glibc-devel Operating systems & Components / Operating system package or component glibc Operating systems & Components / Operating system package or component glibc-info Operating systems & Components / Operating system package or component glibc-devel-static Operating systems & Components / Operating system package or component glibc-debugsource Operating systems & Components / Operating system package or component glibc-debuginfo Operating systems & Components / Operating system package or component |
| Vendor | SUSE |
Security Bulletin
This security bulletin contains information about 2 vulnerabilities.
1) Input validation error
EUVDB-ID: #VU54337
Risk: Low
CVSSv4.0: 1.7 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2016-10228
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to insufficient validation of user-supplied input. The iconv program in the GNU C Library (aka glibc or libc6) 2.31 and earlier, when invoked with multiple suffixes in the destination encoding (TRANSLATE or IGNORE) along with the -c option, enters an infinite loop when processing invalid multi-byte input sequences, leading to a denial of service.
MitigationUpdate the affected package glibc to the latest version.
Vulnerable software versionsSUSE Linux Enterprise Software Development Kit: 12-SP5
SUSE Linux Enterprise Server: 12-SP5
glibc-i18ndata: before 2.22-114.12.1
glibc-html: before 2.22-114.12.1
glibc-profile-32bit: before 2.22-114.12.1
glibc-locale-debuginfo-32bit: before 2.22-114.12.1
glibc-locale-32bit: before 2.22-114.12.1
glibc-devel-debuginfo-32bit: before 2.22-114.12.1
glibc-devel-32bit: before 2.22-114.12.1
glibc-debuginfo-32bit: before 2.22-114.12.1
glibc-32bit: before 2.22-114.12.1
nscd-debuginfo: before 2.22-114.12.1
nscd: before 2.22-114.12.1
glibc-profile: before 2.22-114.12.1
glibc-locale-debuginfo: before 2.22-114.12.1
glibc-locale: before 2.22-114.12.1
glibc-devel-debuginfo: before 2.22-114.12.1
glibc-devel: before 2.22-114.12.1
glibc: before 2.22-114.12.1
glibc-info: before 2.22-114.12.1
glibc-devel-static: before 2.22-114.12.1
glibc-debugsource: before 2.22-114.12.1
glibc-debuginfo: before 2.22-114.12.1
CPE2.3- cpe:2.3:o:suse:suse_linux_enterprise_software_development_kit:12-SP5:*:*:*:*:*:*:*
- cpe:2.3:o:suse:suse_linux_enterprise_server:12-SP5:*:*:*:*:*:*:*
- cpe:2.3:a:suse:glibc-i18ndata:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:a:suse:glibc-html:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:a:suse:glibc-profile-32bit:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:a:suse:glibc-locale-debuginfo-32bit:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:a:suse:glibc-locale-32bit:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:a:suse:glibc-devel-debuginfo-32bit:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:a:suse:glibc-devel-32bit:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:a:suse:glibc-debuginfo-32bit:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:a:suse:glibc-32bit:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:a:suse:nscd-debuginfo:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:a:suse:nscd:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:a:suse:glibc-profile:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:a:suse:glibc-locale-debuginfo:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:a:suse:glibc-locale:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:a:suse:glibc-devel-debuginfo:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:a:suse:glibc-devel:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:a:suse:glibc:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:a:suse:glibc-info:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:a:suse:glibc-devel-static:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:a:suse:glibc-debugsource:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:a:suse:glibc-debuginfo:*:*:*:*:*:suse_linux:*:*
https://www.suse.com/support/update/announcement/2021/suse-su-20212480-1/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Integer overflow
EUVDB-ID: #VU55972
Risk: Medium
CVSSv4.0: 4.9 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2021-35942
CWE-ID:
CWE-190 - Integer overflow
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to gain access to sensitive information or perform a DoS attack.
The vulnerability exists due to integer overflow in parse_param in posix/wordexp.c in the GNU C Library when called with an untrusted pattern. A remote attacker can pass specially crafted data to the application, trigger integer overflow and read arbitrary memory on the system of perform a denial of service (DoS) attack.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
MitigationUpdate the affected package glibc to the latest version.
Vulnerable software versionsSUSE Linux Enterprise Software Development Kit: 12-SP5
SUSE Linux Enterprise Server: 12-SP5
glibc-i18ndata: before 2.22-114.12.1
glibc-html: before 2.22-114.12.1
glibc-profile-32bit: before 2.22-114.12.1
glibc-locale-debuginfo-32bit: before 2.22-114.12.1
glibc-locale-32bit: before 2.22-114.12.1
glibc-devel-debuginfo-32bit: before 2.22-114.12.1
glibc-devel-32bit: before 2.22-114.12.1
glibc-debuginfo-32bit: before 2.22-114.12.1
glibc-32bit: before 2.22-114.12.1
nscd-debuginfo: before 2.22-114.12.1
nscd: before 2.22-114.12.1
glibc-profile: before 2.22-114.12.1
glibc-locale-debuginfo: before 2.22-114.12.1
glibc-locale: before 2.22-114.12.1
glibc-devel-debuginfo: before 2.22-114.12.1
glibc-devel: before 2.22-114.12.1
glibc: before 2.22-114.12.1
glibc-info: before 2.22-114.12.1
glibc-devel-static: before 2.22-114.12.1
glibc-debugsource: before 2.22-114.12.1
glibc-debuginfo: before 2.22-114.12.1
CPE2.3- cpe:2.3:o:suse:suse_linux_enterprise_software_development_kit:12-SP5:*:*:*:*:*:*:*
- cpe:2.3:o:suse:suse_linux_enterprise_server:12-SP5:*:*:*:*:*:*:*
- cpe:2.3:a:suse:glibc-i18ndata:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:a:suse:glibc-html:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:a:suse:glibc-profile-32bit:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:a:suse:glibc-locale-debuginfo-32bit:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:a:suse:glibc-locale-32bit:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:a:suse:glibc-devel-debuginfo-32bit:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:a:suse:glibc-devel-32bit:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:a:suse:glibc-debuginfo-32bit:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:a:suse:glibc-32bit:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:a:suse:nscd-debuginfo:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:a:suse:nscd:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:a:suse:glibc-profile:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:a:suse:glibc-locale-debuginfo:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:a:suse:glibc-locale:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:a:suse:glibc-devel-debuginfo:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:a:suse:glibc-devel:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:a:suse:glibc:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:a:suse:glibc-info:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:a:suse:glibc-devel-static:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:a:suse:glibc-debugsource:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:a:suse:glibc-debuginfo:*:*:*:*:*:suse_linux:*:*
https://www.suse.com/support/update/announcement/2021/suse-su-20212480-1/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
