February 16, 2016
On Tuesday, February 16th, researchers published details about a new vulnerability in the glibc library, a standard C library. The vulnerability existed in the code used to translate hostnames into IP addresses. Processes that use it are very common across network service providers, such as CDNs.
Fastly immediately implemented a security update on affected systems. No customer action is required. Fastly’s service was not impacted.
Deployment of the updates did not impact customers.
On Tuesday, February 16th, Fastly deployed vendor-provided security updates to affected production systems to address the root cause of the vulnerability. No customer action is required.
A stack-based buffer overflow was identified in the glibc DNS client side resolver, a component of glibc which allows clients to resolve hostnames into IP addresses. In order to successfully exploit the software vulnerability, an attacker would need to be able to invoke a DNS lookup for a hostname they control.
At Fastly, many of our systems perform DNS lookups for a variety of reasons including resolving customer origin server hostnames. Fastly immediately prioritized systems that handle customer information, assessed those with affected versions of glibc, and then implemented the full patch for glibc once available from the vendor.
Fastly systems are built using ASLR and other runtime memory corruption mitigations enabled. ASLR is an address space randomization technique which would make reliable exploitation of this vulnerability more difficult. We carefully monitored systems for crashes that appeared to be related to this vulnerability and found no indication of attempted exploitation.
You can learn more about the glibc vulnerability in this blog post published on the issue. Detailed information can be found in this thread on the GNU C Library mailing list.