GHOST glibc Vulnerability
Summary
Quantum products that have been developed using the GNU C Library (glibc) may be affected by the GHOST glibc vulnerability identified as CVE-2015-0235 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0235). The GHOST vulnerability is a serious weakness in the Linux glibc library. It allows attackers to remotely take complete control of the victim system without having any prior knowledge of system credentials.
Quantum is committed to providing timely product updates to correct the GHOST vulnerability, and this advisory will be updated accordingly as we move forward.
Unaffected Quantum Products
The following Quantum products are known to be unaffected by the GHOST vulnerability.
- Scalar Key Manager
- Scalar Tape Libraries
- Scalar LTFS
- SuperLoader3
- StorNext Q-series QD/QS/QSX
- LTO Drives
- StorNext Software
- vmPRO
Vulnerable Quantum Products
Versions of the following Quantum products are known to be vulnerable to GHOST.
- DXi-Series
- Lattus (C5, C10, S10, S20)
- StorNext Appliances
Quantum Products Under Investigation
The following Quantum products are still under investigation for vulnerability to GHOST.
- Vision
- Lattus A10
Impact
A remote attacker able to make an application call using gethostbyname() or gesthostbyname2() functions could use this flaw to execute arbitrary code with the permissions of the user running the application..
Software Versions and Fixes
Patches to Quantum software and firmware are in progress; please contact your Quantum service representative for the latest status on availability.
References
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0235
- https://community.qualys.com/blogs/laws-of-vulnerabilities/2015/01/27/the-ghost-vulnerability
Contact Information
In US, call 800-284-5101. In Europe, call toll free +800-7826-8888 or direct +49 6131 324 185. You will need your system serial number. For additional contact information, go to http://www.quantum.com/serviceandsupport/get-help/index.aspx#contact-support