Since the 18th February, we have been working to ensure that all in-house systems affected by this advisory are being patched accordingly. We have been advised and judge that this work needs to be completed as quickly as possible. This may therefore require brief windows of downtime affecting both single and multiple services & circuits.

Wherever possible we will post an early notification of such customer affecting works.

If you have any concerns or require further information, contact support in the normal meaner.

Vulnerability Summary for CVE-2015-7547

Original release date: 02/18/2016
Last revised: 02/19/2016
Source: US-CERT/NIST

Overview

Multiple stack-based buffer overflows in the (1) send_dg and (2) send_vc functions in the libresolv library in the GNU C Library (aka glibc or libc6) before 2.23 allow remote attackers to cause a denial of service (crash) or possibly execute arbitrary code via a crafted DNS response that triggers a call to the getaddrinfo function with the AF_UNSPEC or AF_INET6 address family, related to performing “dual A/AAAA DNS queries” and the libnss_dns.so.2 NSS module.

Impact

CVSS Severity (version 3.0):
CVSS v3 Base Score: 8.1 High
Impact Score: 5.9
Exploitability Score: 2.2
CVSS Version 3 Metrics:
Attack Vector (AV): Network
Attack Complexity (AC): High
Privileges Required (PR): None
User Interaction (UI): None
Scope (S): Unchanged
Confidentiality (C): High
Integrity (I): High
Availability (A): High