Chainguard’s response to CVE-2023-6246 in glibc
CVE-2023-6246 is a local privilege escalation vulnerability in the GNU C Library (glibc), which is used by a large number of libraries, and in turn applications. This vulnerability enables an unprivileged user to gain full root access by providing crafted inputs to applications using the vulnerable functions. This vulnerability is a heap-based buffer overflow, which was accidentally introduced in glibc 2.37 in August 2022 and later backported to glibc 2.36.
While the vulnerability requires specific conditions to be exploited, its impact is significant due to the widespread use of the glibc library.
The details and timeline
In November 2023, security researchers from Qualys reported a heap-based buffer overflow vulnerability to Red Hat, which was assigned CVE-2023-6246. Subsequent communication led to the discovery of two more minor vulnerabilities in the same function, CVE-2023-6779 (off-by-one buffer overflow) and CVE-2023-6780 (integer overflow). The glibc security team joined the effort, and a coordinated release date for patches was set for January 30, 2024. The vulnerabilities were successfully addressed, ensuring a coordinated and secure disclosure process. Find the detailed timeline here.
The researchers tested it across multiple Linux distributions including Debian (versions 12 and 13), Ubuntu (23.04 and 23.10), and Fedora (37 to 39), and found them all to be vulnerable. It is important to note that glibc is also present in Wolfi. Once the vulnerability details became public, the Chainguard team swiftly applied patches for the glibc Wolfi package on the morning of January 31, 2024, shortly after the official coordinated disclosure. Once the patches were applied, all of our impacted Chainguard Images had been rebuilt and published within hours.
What do I need to do?
glibc is a fundamental package that many applications and programs rely on, including Chainguard Images. If you are a Chainguard Images customer or user, all patches have been applied in the glibc Wolfi package. Make sure you pull our :latest Chainguard Images that we rebuilt after the patch was issued this morning. If you’re using one or more Chainguard Images as a base image for your own image, make sure to rebuild your image as soon as possible in order to pick up the patched version of glibc.
To keep our users informed, Chainguard published updated security advisory data to let our users and customers know that we have applied a fix to CVE-2023-6246, CVE-2023-6779 and CVE-2023-6780.
Chainguard Images were built for this purpose: to rapidly remediate known, and sometimes unreported, vulnerabilities.
What our users can expect from scanners
Different scanning solutions refresh their vulnerability data at different cadences. For example, Grype updates its data once a day at 04:00 UTC, and Trivy updates its data every six hours, starting at midnight UTC. In this case, this means Trivy will start detecting unpatched versions of glibc first.
Because Chainguard published updated security data so quickly, all of our scanner integrations that support Chainguard Images will be able to confirm that you’re using the latest secure software from Chainguard as soon as their next data refresh happens.
Get started with Chainguard Images
According to Chainguard Labs research, popular container images, when not updated, accumulate one known vulnerability per day. Chainguard Images’ continuous rebuild policy ensures that you are using the latest, most up-to-date version of the container images you rely on to run your application securely.
You can try Chainguard Images for free today to see for yourself how we're working to improve the container image security landscape. Our Developer Images are available on the :latest and :latest-dev versions only. Our Production Images inventory is always expanding for your enterprise needs. If you need something you don’t see listed in our Directory, let us know.
Ready to Lock Down Your Supply Chain?
Talk to our customer obsessed, community-driven team.