Cisco says GHOST is more Casper than Sleepy Hollow Cisco has put forward at least a partial response to 2015's first branded bug, GHOST, saying that in The Borg's world, the glibc vulnerability is probably of relatively low severity. That would, at least, explain why it's not being hunted with quite the urgency of something like Heartbleed in 2014: right now, Cisco's advisory …
The problem is that you have MORONs like SnOracle contributors to OpenJDK which have code which has getnameinfo() and getaddrinfo() in it, but ifdefs it to use gethostbyname and gethostbyaddr instead on Linux.
So instead of having a v4/v6 unified implementation it has a factory which chooses archaic ones using gethost* family functions. All of that while having the correct code inside (it is just ifdef-ed so it is never used on Linux or BSD version >= 6).
So while Cisco may have moved to the proper functions in all of their C code, they still have a raft of products using Java which do not use the proper function because their underlying interpreter (java) does not. Example - last time I checked Webex used java, right? It also uses the java _ON_ the system, not an alternative JDK which may not be vulnerable (not that it is likely - I bet the code in IPv4AddrImpl.c is the same throughout). So do quite a few other products.
anyone out there:
Not just use it, use it deliberately. Beginning of the file:
#if defined(__GLIBC__) || (defined(__FreeBSD__) && (__FreeBSD_version >= 601104))
#define HAS_GLIBC_GETHOSTBY_R 1
#endif
From there on they use gethostby* instead of getaddrinfo() or getnameinfo(). getaddr/name are used in the #else part of the #ifdef HAS_GLIBC_GETHOSTBY_R
Stupidometer, here we come. We shall break though with vengeance by driving you off the scale.
I have always admired the hubris with which some people get when they speak of Java performance and security. If you read the source it is frankly unwarranted as it is screaming LOUDLY for refactoring, clean up and optimization across the board where it talks to libc (at least as far as the linux variety of libc is concerned).
"The other restrictions that had already been identified by Qualys ... are, Cisco says, quite unlikely in any real-world application."
Yeah I'm sure a hacker wouldn't dream of making up a hostname that fit those restrictions.
Reminds me of the time I was re-educating a developer on SQL injection, and asked him what would happen if there was a quote in a user-supplier input:
"Chances are less"
... sigh ...
/*
Reminds me of the time I was re-educating a developer on SQL injection, and asked him what would happen if there was a quote in a user-supplier input:
"Chances are less"
... sigh ...
*/
How many people did it take to get your hands off his throat? Will he ever walk again?
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
