Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

(experimental vulnerability issue) CVE-2024-2961 #699

Open
dervoeti opened this issue May 30, 2024 · 1 comment
Open

(experimental vulnerability issue) CVE-2024-2961 #699

dervoeti opened this issue May 30, 2024 · 1 comment
Assignees
@dervoeti

Comments

@dervoeti
Copy link
Member

dervoeti commented May 30, 2024
edited
Loading

View observations in SecObserve

Review assessments in SecObserve

The iconv() function in the GNU C Library versions 2.39 and older may overflow the output buffer passed to it by up to 4 bytes when converting strings to the ISO-2022-CN-EXT character set, which may be used to crash an application or overwrite a neighbouring variable.
@dervoeti
Copy link
Member Author

dervoeti commented Jun 4, 2024
edited by siegfriedweber
Loading

The security status of the Red Hat images can be seen in the Red Hat Ecosystem Catalog, e.g. for the Red Hat Universal Base Image 9 Minimal.

At the time of writing, the Red Hat Universal Base Image 9 Minimal "does not contain known unapplied security advisories". However, the vulnerability scanners find a lot of open CVEs, e.g. CVE-2024-2961. According to the table in the Affected Packages and Issued Red Hat Security Errata section, Red Hat Enterprise Linux 9 is affected by this CVE. But it is fixed for Red Hat Enterprise Linux 8, see RHSA-2024:2722 - Security Advisory. Either the security status in the Red Hat Ecosystem Catalog or the table on the CVE page must be wrong.

The description in NVD - CVE-2024-2961 states:

The iconv() function in the GNU C Library versions 2.39 and older may overflow the output buffer passed to it by up to 4 bytes when converting strings to the ISO-2022-CN-EXT character set, which may be used to crash an application or overwrite a neighbouring variable.

Therefore, a system is affected if

  1. iconv is installed in version 2.39 or older,
  2. the vulnerability is not patched, and
  3. the ISO-2022-CN-EXT plugin is enabled.

RHSA-2024:2722 lists the package glibc-2.28-236.el8_9.13.x86_64.rpm as fixed. That means that the package glibc-2.28-236.el8_9.12.x86_64.rpm is affected. This is consistent with the recommendation shown by SecObserve:

Upgrade glibc to version 2.28-236.el8_9.13

Kafka in the SDP 24.3.0 contains the affected version:

$ docker run docker.stackable.tech/stackable/kafka:3.6.1-stackable24.3.0 rpm --query glibc
glibc-2.28-236.el8_9.12.x86_64

The latest UBI8 image contains the patched version:

$ docker run redhat/ubi8-minimal rpm --query glibc
glibc-2.28-236.el8_9.13.x86_64

The latest UBI9 image contains another version which is older than version 2.39 and where the patch status is unknown:

$ docker run redhat/ubi9-minimal rpm --query glibc
glibc-2.34-100.el9.x86_64

So, the Kafka image and the UBI9 image would be affected if the plugin is enabled, but it is disabled:

$ docker run docker.stackable.tech/stackable/kafka:3.6.1-stackable24.3.0 iconv -l | grep -E 'CN-?EXT'
$ docker run redhat/ubi9-minimal iconv -l | grep -E 'CN-?EXT'

It seems that this CVE has no effect on the UBI 8 and 9 images.

However, Red Hat created a ticket and fixed this issue for glibc-2.28 used by UBI8. The question is, if they also applied this patch to glibc-2.34 which is used for UBI9. It happens often that security advisories can be found for older versions but it is not clear if the issue is still fixed in a newer version.

The source RPMs can be downloaded from

The RPM package for glibc-2.28 contains the fix for the CVE-2024-2961 in the file glibc-RHEL-32475.patch. The RPM package for glibc-2.34 does not contain this patch. The patch changes the file iconvdata/iso-2022-cn-ext.c. When comparing this file between the glibc version 2.28 and 2.34, there is no significant difference, so the patch should be applied as well to version 2.34, if it was necessary for version 2.28 (the glibc source code is contained in the SRPM and can also be downloaded from https://ftp.gnu.org/gnu/glibc/):

$ diff glibc-2.28/iconvdata/iso-2022-cn-ext.c glibc-2.34/iconvdata/iso-2022-cn-ext.c
2c2
<    Copyright (C) 2000-2018 Free Software Foundation, Inc.
---
>    Copyright (C) 2000-2021 Free Software Foundation, Inc.
18c18
<    <http://www.gnu.org/licenses/>.  */
---
>    <https://www.gnu.org/licenses/>.  */

On the one hand, Red Hat did not port this patch to the newer glibc version, even if the CVE correctly states that other versions below 2.39 are affected. On the other hand, the CVE has no effect because the ISO-2022-CN-EXT plugin is not enabled.

A deeper look at the RPM spec shows that only the basic plugins (also called modules), like UTF-8, are installed with the glibc package and that the other plugins are outsourced to the glibc-gconv-extra package:

$ docker run -ti redhat/ubi9-minimal bash
[root@7d7c88c32972 /]# microdnf install glibc-gconv-extra

(microdnf:13): librhsm-WARNING **: 18:54:26.675: Found 0 entitlement certificates

(microdnf:13): librhsm-WARNING **: 18:54:26.676: Found 0 entitlement certificates
Downloading metadata...
Downloading metadata...
Downloading metadata...
Package                                                                                                                               Repository                                           Size
Installing:
 glibc-gconv-extra-2.34-100.el9.x86_64                                                                                                ubi-9-baseos-rpms                                  1.8 MB
Transaction Summary:
 Installing:        1 packages
 Reinstalling:      0 packages
 Upgrading:         0 packages
 Obsoleting:        0 packages
 Removing:          0 packages
 Downgrading:       0 packages
Is this ok [y/N]: y
Downloading packages...
Running transaction test...
Installing: glibc-gconv-extra;2.34-100.el9;x86_64;ubi-9-baseos-rpms
Complete.
[root@7d7c88c32972 /]# iconv -l | grep -E 'CN-?EXT'
ISO-2022-CN-EXT//
ISO2022CNEXT//

In summary this means, that CVE-2024-2961 was fixed in UBI8 and appears again in UBI9. The Stackable images are not affected as long as glibc-gconv-extra is not installed.

Assessments

In general: The vulnerability was found in multiple glibc* packages in each image, I only made the assessment for the glibc package itself and marked the other observations in similar packages (like glibc-common) as duplicates.

docker.stackable.tech/stackable/krb5:1.18.2-stackable24.3.0@glibc-gconv-extra:2.28-236.el8_9.12

Status VEX remediations Text
Affected No fix planned There is no fix planned for SDP 24.3. It is fixed in SDP 24.7. An out-of-bounds write flaw was found in the ISO-2022-CN-EXT plugin for glibc's iconv library. This plugin is contained in the package glibc-gconv-extra, which is installed. It is not installed anymore in SDP 24.7.

glibc-common:2.28-236.el8_9.13

Status VEX remediations Text
False positive Vulnerable code not present Vulnerability fixed according to https://access.redhat.com/errata/RHSA-2024:2722

all other images and packages from 24.3.0 and 0.0.0-dev

Status VEX justification Comment
False positive Vulnerable code not present An out-of-bounds write flaw was found in the ISO-2022-CN-EXT plugin for glibc's iconv library. This plugin is only contained in the package glibc-gconv-extra, which is not installed.

@dervoeti dervoeti self-assigned this Jun 4, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@dervoeti dervoeti

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@dervoeti