Is Java vulnerable to glibc GHOST Vulnerability in Linux?

Question

I see on our RedHat Linux platform that "java" process has dependency over glibc library:

[root@hpproliant1 ~]# ldd /usr/bin/java
linux-gate.so.1 =>  (0xffffe000)
libpthread.so.0 => /lib/libpthread.so.0 (0xf7f77000)
libjli.so => /usr/java/32bit/jre1.6.0_26/bin/../lib/i386/jli/libjli.so (0xf7f6e000)
libdl.so.2 => /lib/libdl.so.2 (0xf7f69000)
libc.so.6 => /lib/libc.so.6 (0xf7e11000)
/lib/ld-linux.so.2 (0xf7f97000)

Does Java APIs call indirectly problematic glibc functions? If so is the jvm using the vulnerable function in a way that's vulnerable?

Answer 1

Possibly.

The two functions that are vulnerable in glibc are gethostbyname and gethostbyname2. You noticed that java is linked to glibc, but to even be possible to be vulnerable it has to link to these specific functions.

It's possible to scan the ELF binary and look through the linked libraries with the program readelf.

It's recently come out that procmail is vulnerable, let's check this approach works with a known vulnerable program.

readelf --dyn-syms /usr/bin/procmail |grep gethostbyname
    46: 0000000000000000     0 FUNC    GLOBAL DEFAULT  UND gethostbyname@GLIBC_2.2.5 (2

And it does!

If you can the jvm executable, you won't find references to gethostbyname.

If you scan the libraries included with java, you will:

readelf --dyn-sym libdt_socket.so |grep gethostbyname
    19: 0000000000000000     0 FUNC    GLOBAL DEFAULT  UND gethostbyname@GLIBC_2.2.5 (4)

Whether this is exploitable or not requires further analysis. But until proven otherwise, you should update your glibc library.