Summary

Quantum products that have been developed using the GNU C Library (glibc) may be affected by the GHOST glibc vulnerability identified as CVE-2015-0235 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0235). The GHOST vulnerability is a serious weakness in the Linux glibc library. It allows attackers to remotely take complete control of the victim system without having any prior knowledge of system credentials.

Quantum is committed to providing timely product updates to correct the GHOST vulnerability, and this advisory will be updated accordingly as we move forward.

Unaffected Quantum Products

The following Quantum products are known to be unaffected by the GHOST vulnerability.

• Scalar Key Manager
• Scalar Tape Libraries
• Scalar LTFS
• SuperLoader3
• StorNext Q-series QD/QS/QSX
• LTO Drives
• StorNext Software
• vmPRO

Vulnerable Quantum Products

Versions of the following Quantum products are known to be vulnerable to GHOST.

• DXi-Series
• Lattus (C5, C10, S10, S20)
• StorNext Appliances

Quantum Products Under Investigation

The following Quantum products are still under investigation for vulnerability to GHOST.

• Vision
• Lattus A10

Impact

A remote attacker able to make an application call using gethostbyname() or gesthostbyname2() functions could use this flaw to execute arbitrary code with the permissions of the user running the application..

Software Versions and Fixes

Patches to Quantum software and firmware are in progress; please contact your Quantum service representative for the latest status on availability.

References

• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0235
• https://community.qualys.com/blogs/laws-of-vulnerabilities/2015/01/27/the-ghost-vulnerability

Contact Information

In US, call 800-284-5101. In Europe, call toll free +800-7826-8888 or direct +49 6131 324 185. You will need your system serial number. For additional contact information, go to//www.zjhxrs.com/serviceandsupport/get-help/index.aspx#contact-support