[erlang-questions] FW: [rabbitmq-users] glibc GHOST vulnerability and rabbitmq

Chris Nicel Chris.Nicel@REDACTED
Wed Jan 28 15:48:32 CET 2015


Hi All,

I have a question about the GHOST vulnerability and erlangs use of the gethostbyname() function. We use RabbitMQ here and I am attempting to understand how vulnerable to attack we are on our Linux servers so I can weigh up the odds and give my superiors a good reason to upgrade and reboot the servers.

RabbitMQ invokes the gethostbyname() function through it’s erlang library. How does the erlang library handle calls to gethostbyname? Does it sanitise the inputs or limit the length of the hostname prior to calling out?

Cheers

Chris

From: Michael Klishin [mailto:mklishin@REDACTED]
Sent: 28 January 2015 13:28
To: Chris Nicel
Cc: rabbitmq-users@REDACTED
Subject: Re: [rabbitmq-users] glibc GHOST vulnerability and rabbitmq

On 28/1/2015, at 16:17, Chris Nicel <Chris.Nicel@REDACTED<mailto:Chris.Nicel@REDACTED>> wrote:
Can you confirm if either of the following conditions are true related to erlang and rabbitmq:


1.     The service's protocol involves it being given a hostname which needs resolving to an IP
RabbitMQ server in a cluster performs hostname resolution. So does rabbitmqctl (in most cases).


2.     The service doesn't sanitise or limit the length of the given hostname before calling getHostByName
RabbitMQ does not do that, however, it also does not invoke gethostbyname(2) directly. Please ask on erlang-questions, since this is handled by the runtime.

MK

15below Limited: Company registered in England and Wales No 3945289
Registered Office: Lyndean House, 43-46 Queens Road, Brighton BN1 3XB, United Kingdom

15below Australia Pty Limited: ABN 25 132 716 379
Level 21, Tower 2 Darling Park, 201 Sussex Street, Sydney, NSW 2000, Australia

Please think about the environment before printing this email.

************************************************************************
This email and any attachments may be confidential and/or legally privileged and are solely for the use of the intended recipient. If you have received this email in error please contact the sender. Any views or opinions expressed within this e-mail are solely those of the sender, and do not necessarily represent those of 15below unless otherwise specifically stated. Although 15below has taken every reasonable precaution to ensure that any attachment to this e-mail has been checked for viruses, it is strongly recommended that you carry out your own virus check before opening any attachment, as we cannot accept liability for any damage sustained as a result of software virus infection.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://erlang.org/pipermail/erlang-questions/attachments/20150128/ebe37625/attachment.htm>


More information about the erlang-questions mailing list