Situation
CVE-2023-4911 was discovered in glibc's ld.so.
Impact
A buffer overflow was discovered in the GNU C Library's dynamic loader ld.so while processing the GLIBC_TUNABLES
environment variable (CVE-2023-4911). This issue could allow a local attacker to use maliciously crafted GLIBC_TUNABLES
environment variables when launching binaries with SUID permission to execute code with elevated privileges.
Call to action
The vulnerability affects the system library. Plesk doesn't ship its own glibc
. So, it is fixed by the system package's update.
OS vendor's advisories should be followed to update the vulnerable library.
These Linux distributions have already published fixes:
- Ubuntu issued fixes for glibc in 22.04, 23.04. Ubuntu 20 (focal) is not vulnerable.
- RHEL 8,9 are fixed.
- Debian 11, 12 issued fixes for glibc.
- AlmaLinux 8 and 9 are fixed.
- Rocky Linux 8 was fixed.