Last year, a CVE-2019-19126 vulnerability was discovered in glibc, where the LD_PREFER_MAP_32BIT_EXEC environment variable is not ignored when running binaries with the setuid flag on x86_64 architectures. This allows an attacker to force the system to utilize only half of the memory (making the system think the software is 32-bit only), thus lowering the amount of memory being used with address space layout randomization (ASLR). This week, an update for glibc has become available for Red Hat Enterprise Linux 7 from the RHEL. But for the update to take effect, all services linked to the glibc library must be restarted, or the system rebooted. We are currently preparing rebootless patches which will be ready for distribution next week.
About RHSA-2020:3861 Vulnerability
The glibc packages provide the standard C libraries (libc), POSIX thread libraries (libpthread), standard math libraries (libm), and the name service cache daemon (nscd) used by multiple programs on the system. Without these libraries, the Linux system cannot function correctly.
The highest threat of CVE-2019-19126 is confidentiality, although the complexity of attack is high. The affected application must already have other usable vulnerabilities for this flaw. On the x86-64 architecture, the GNU C Library (aka glibc) before 2.31 fails to ignore the LD_PREFER_MAP_32BIT_EXEC environment variable during program execution after a security transition. This allows local attackers to restrict a potential mapping of addresses for loaded libraries and thus bypass ASLR for a setuid program.
Despite CVE-2019-19126 having a low CVSS score, it is still risky. Anyone who thinks otherwise is mistaken and setting themselves up for more work, pain, and stress than they should. Any risk is a possibility for loss or damage if a threat exploits a vulnerability (which is a weakness in hardware or software). So, even a low severity vulnerability can potentially harm your system.
What mitigations are available?
Major Linux distributions have already been patched to fix this vulnerability. System administrators should check if a patch is available for distributions in use within their organization.
Red Hat has recently issued the update for glibc for Red Hat Enterprise Linux 7. Here you can find the vendor instructions on how to apply this update. Note that for the update to take effect, all services linked to the glibc library must be restarted, or the system rebooted.
Alternatively, KernelCare+ can install this and other glibc updates to the running processes, without the need to restart or reboot. You can sign up for a 7-day trial of KernelCare+ and get the rebootless updates early next week.