On September 18, a vulnerability was published in the GNU C Library (glibc), which had the potential to compromise system security and stability. In this blog post, we will delve into the details of CVE-2023-4527, and explore how Chainguard responded to protect its users.
The details
CVE-2023-4527 was initially reported by Red Hat and assigned a medium severity rating with a CVSSv3.1 score of 6.5. This vulnerability resides in the 'getaddrinfo' function when called with the 'AF_UNSPEC' address family and the system is configured with 'no-aaaa' mode via '/etc/resolv.conf.' The crux of the issue is that when a DNS response via TCP exceeds 2048 bytes, it has the potential to disclose stack contents through the function's return address data, which could potentially lead to system crashes.
This vulnerability is exploitable over the network, however, the attack complexity is considered high, which implies that it would require significant access and resources to successfully exploit the vulnerability.
glibc is a fundamental package that many programs rely on, including Chainguard Images.
We address CVEs like this one – so you don’t have to
Now, let's explore how our team responded to the discovery of CVE-2023-4527 with speed and efficiency.
On September 18, the vulnerability was initially published to the National Vulnerability Database (NVD). On the afternoon of September 21, NVD staff conducted their standard analysis, including the identification of Common Platform Enumeration (CPE) configurations used by security scanners to detect CVE records and report them.
At this point, Chainguard's automation system detected the CVE, triggering an immediate response from our security staff. The team wasted no time and began working on applying the necessary patch to mitigate the vulnerability. A pull request containing the patch was opened in Wolfi on September 22, further expediting the process of resolving the issue (you can view the PR here).
The Chainguard team moved quickly to merge the pull request, initiating the production build of the fixed version of the glibc APK. This fixed version was promptly pushed to our public repository, ensuring that everyone had access to the updated package.
To keep our users informed and secure, Chainguard published updated advisory data to let our users and customers know that we have applied a fix to CVE-2023-4527.
Within 24 hours, we worked to quickly rebuild all affected Chainguard Images to incorporate the updated APK, ensuring that users are protected against this vulnerability.
Get started with Chainguard Images
According to Chainguard Labs research, popular container images, when not updated, accumulate one known vulnerability per day. Chainguard Images’ daily image rebuild policy ensures that you are using the latest, most up-to-date version of the container images you rely on to run your application.
You can try Chainguard Images for free today to see for yourself how we're working to improve the container image landscape with a secure-by-default design. Our public tier Images are available on the :latest and :latest-dev versions only. Our Images inventory is always expanding. If you need something you don’t see listed in our catalog, let us know.
