Blog

October 4, 2023

CVE-2023-4911: High Severity "Looney Tunables" Vulnerability Impacting Open Source Software

Javier Perez
Javier Perez

Operating Systems,

Security

On 10/3/2023, Red Hat and Qualys issued a coordinated release regarding a new high severity CVE-2023-4911, nicknamed Looney Tunables. The vulnerability was discovered by the Qualys Threat Research Unit (TRU) and described as a buffer overflow vulnerability in GNU C Library’s dynamic loader’s processing of the GLIBC_TUNABLES environment variable. 
 

What is the impact of CVE-2023-4911? 

According to a blog published by Qualys on 10/3: “The presence of a buffer overflow vulnerability in the dynamic loader’s handling of the GLIBC_TUNABLES environment variable poses significant risks to numerous Linux distributions. This environment variable, intended to fine-tune and optimize applications linked with glibc, is an essential tool for developers and system administrators. Its misuse or exploitation broadly affects system performance, reliability, and security.”

According to NIST, CVE-2023-4911 is still currently awaiting analysis. However, Red Hat, Inc has classified this CVE with a high-severity CVSS 3 base score of 7.8. 

 

OpenLogic Patch for CVE-2023-4911 Available

OpenLogic has published a new patch to address this CentOS 8 vulnerability. OpenLogic customers with CentOS 8 Long-Term Support receive patches for high-severity CVEs post end-of-life and this one requires immediate attention. OpenLogic customers can access the latest patch in the OpenLogic private repository. 

Need CentOS 8 Long-Term Support? 

OpenLogic provides CentOS LTS for five years past EOL, as well as technical support and professional services. Teams can open up unlimited support tickets to ask questions about how CVEs affecting CentOS, like CVE-2023-4911, will impact their infrastructure. 

See CentOS LTS Details   Get A Quote

Additional Resources