If your system has certain versions (2.2 - 2.17) of glibc then it has the GHOST vulnerability. However, an attacker who does not otherwise have access to your system cannot take advantage of that vulnerability until some other criteria are met. You need to have a program listening on an open port that will accept attacker-controlled input which makes it way to gethostbyname.
Qualys apparently did this analysis and listed programs that are not vulnerable:
http://ift.tt/1D4oDx0
Has anyone done that same analysis with tomcat 7 with JSSE SSL? What are some things to consider when doing so?
Thanks!
Aucun commentaire:
Enregistrer un commentaire