Tech Support
Documentation
Login
Contact Us
Addressing glibc Vulnerabilities in EOL Ubuntu
Rohan Timalsina
May 16, 2024 - TuxCare expert team
Recently, the Ubuntu security team has fixed multiple security issues discovered in the GNU C library, commonly known as glibc. If left unaddressed, this can leave your system exposed to attackers who exploit these glibc vulnerabilities. The glibc library provides the foundation for many programs on your system. Therefore, it is crucial to patch these vulnerabilities to maintain the integrity and security of Ubuntu systems.
Affected Ubuntu Versions and glibc Vulnerabilities
CVE-2014-9984 (CVSS v3 Score: 9.8 High)
This vulnerability revolves around the incorrect handling of netgroup requests within the GNU C Library. While affecting only Ubuntu 14.04 LTS, it could potentially lead to crashes or the execution of arbitrary code.
CVE-2015-20109 (CVSS v3 Score: 5.5 Medium)
Here, the glibc vulnerability could allow context-dependent attackers to trigger a denial-of-service situation. Again, limited to Ubuntu 14.04 LTS, this flaw underscores the importance of promptly applying updates.
CVE-2018-11236 (CVSS v3 Score: 9.8 High)
This vulnerability highlights the risk posed by processing very long pathname arguments to the realpath function, particularly on 32-bit architectures. The integer overflow could result in a stack-based buffer overflow and, potentially, arbitrary code execution.
CVE-2021-3999 (CVSS v3 Score: 7.8 High)
In this scenario, the getcwd function of the GNU C library mishandles buffers, presenting an opportunity for attackers to cause the library to crash.
CVE-2024-2961
Discovered by Charles Fol, this glibc vulnerability is due to the incorrect handling of certain input sequences in the iconv feature of the GNU C Library. This could also lead to a denial of service or the execution of arbitrary code.
Mitigation Measures
These glibc vulnerabilities have been identified across multiple Ubuntu releases, including Ubuntu 18.04, Ubuntu 16.04, and Ubuntu 14.04. However, these Ubuntu releases have reached their end-of-life (EOL), which means they no longer receive free security updates. Security updates are only available through Extended Security Maintenance via Ubuntu Pro.
For users concerned about the cost of a Ubuntu Pro subscription, there’s a more affordable alternative in the form of “TuxCare’s Extended Lifecycle Support.” TuxCare offers an additional five years of vendor-grade security patches for Ubuntu 16.04 and Ubuntu 18.04 after the EOL date. It covers 140+ packages, including glibc, the Ubuntu kernel, Python, OpenSSL, and many others.
Send questions to a TuxCare security expert to get advice on how to secure your end-of-life Ubuntu systems.
Source: USN-6762-1
