SituationCVE-2023-4911 was discovered in glibc's ld.so.
ImpactA buffer overflow was discovered in the GNU C Library's dynamic loader ld .so while processing the
GLIBC_TUNABLES environment variable (CVE-2023-4911 (https://www.cve.org/CVERecord?id=CVE-2023-4911v)). This issue could allow a local attacker to use
maliciously crafted GLIBC_TUNABLES environment variables when launching binaries with SUID permission to
execute code with elevated privileges.
Call to actionThe vulnerability affects the system library. Plesk doesn't ship its own glibc. So, it is fixed by the system
package's update.
OS vendor's advisories should be followed to update the vulnerable library.
These Linux distributions have already published fixes:
- Ubuntu (https://ubuntu.com/security/notices/USN-6409-1) issued fixes for glibc in 22.04, 23.04. Ubuntu 20 (focal) is not vulnerable.
- RHEL (https://access.redhat.com/security/cve/cve-2023-4911#cve-faq) 8,9 are fixed.
- Debian 11, 12 issued fixes for glibc.
- AlmaLinux 8 (https://errata.almalinux.org/8/ALSA-2023-5455.html) and 9 (https://errata.almalinux.org/9/ALSA-2023-5453.html) are fixed.
- Rocky Linux 8 (https://errata.rockylinux.org/RLSA-2023:5455) was fixed.