Bug 2367468 (CVE-2025-4802)

Summary: CVE-2025-4802 glibc: static setuid binary dlopen may incorrectly search LD_LIBRARY_PATH
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: ashankar, cchiang, codonell, dj, fweimer, it.vidhyadharan, pfrankli
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
A flaw was found in the glibc library. A statically linked setuid binary that calls dlopen(), including internal dlopen() calls after setlocale() or calls to NSS functions such as getaddrinfo(), may incorrectly search LD_LIBRARY_PATH to determine which library to load, allowing a local attacker to load malicious shared libraries, escalate privileges and execute arbitrary code.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2367471, 2367472, 2367473, 2367474    
Bug Blocks:    

Description OSIDB Bzimport 2025-05-20 13:02:40 UTC 
Untrusted LD_LIBRARY_PATH environment variable vulnerability in the GNU C Library version 2.27 to 2.38 allows attacker controlled loading of dynamically shared library in statically compiled setuid binaries that call dlopen (including internal dlopen calls after setlocale or calls to NSS functions such as getaddrinfo).
Comment 2 TEJ RATHI 2025-05-20 13:21:03 UTC 
Vulnerable-Commit: 10e93d968716ab82931d593bada121c17c0a4b93 (2.27)
Fix-Commit: 5451fa962cd0a90a0e2ec1d8910a559ace02bba0 (2.39)
Comment 4 vidhyadharan 2025-05-21 13:02:43 UTC 
The issue found on registry.access.redhat.com/ubi9/openjdk-21-runtime:1.22-1.1747241886 very latest images. 
and which uses - > 
registry.redhat.io/rhel9-osbs/osbs-ubi9-minimal:latest 

{
            "text": "",
            "id": 46,
            "severity": "high",
            "cvss": 8.4,
            "status": "affected",
            "cve": "CVE-2025-4802",
            "cause": "",
            "description": "Untrusted LD_LIBRARY_PATH environment variable vulnerability in the GNU C Library version 2.27 to 2.38 allows attacker controlled loading of dynamically shared library in statically compiled setuid binaries that call dlopen (including internal dlopen calls after setlocale or calls to NSS functions such as getaddrinfo).",
            "title": "",
            "vecStr": "",
            "exploit": "",
            "riskFactors": {
              "Attack complexity: low": true,
              "DoS - High": true,
              "High severity": true,
              "Recent vulnerability": true
            },
            "link": "https://access.redhat.com/security/cve/CVE-2025-4802",
            "type": "image",
            "packageType": "os",
            "layerTime": 1747241654,
            "templates": null,
            "twistlock": false,
            "cri": false,
            "published": 1747426522,
            "fixDate": 0,
            "applicableRules": [
              "*"
            ],
            "discovered": "2025-05-21T12:35:36Z",
            "functionLayer": "",
            "wildfireMalware": {},
            "secret": {},
            "severityCHML": "H",
            "packageName": "glibc",
            "packageVersion": "2.34-168.el9_6.14",
            "packageBinaryPkgs": [
              "glibc-common",
              "glibc-minimal-langpack",
              "glibc"
            ],
            "packagePath": "",
            "packageLicense": "LGPLv2+ and LGPLv2+ with exceptions and GPLv2+ and GPLv2+ with exceptions and BSD and Inner-Net and ISC and Public Domain and GFDL"
          }
Comment 5 errata-xmlrpc 2025-06-09 08:49:40 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2025:8655 https://access.redhat.com/errata/RHSA-2025:8655
Comment 6 errata-xmlrpc 2025-06-09 14:35:09 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2025:8686 https://access.redhat.com/errata/RHSA-2025:8686
Comment 16 errata-xmlrpc 2025-06-23 03:31:28 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.4 Extended Update Support

Via RHSA-2025:9336 https://access.redhat.com/errata/RHSA-2025:9336
Comment 17 errata-xmlrpc 2025-07-01 02:35:54 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.19

Via RHSA-2025:9750 https://access.redhat.com/errata/RHSA-2025:9750
Comment 18 errata-xmlrpc 2025-07-02 03:53:02 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.16

Via RHSA-2025:9765 https://access.redhat.com/errata/RHSA-2025:9765
Comment 19 errata-xmlrpc 2025-07-02 03:57:09 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.18

Via RHSA-2025:9725 https://access.redhat.com/errata/RHSA-2025:9725
Comment 20 errata-xmlrpc 2025-07-02 12:23:51 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.7 Advanced Update Support

Via RHSA-2025:10220 https://access.redhat.com/errata/RHSA-2025:10220
Comment 21 errata-xmlrpc 2025-07-02 14:12:39 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7 Extended Lifecycle Support

Via RHSA-2025:10219 https://access.redhat.com/errata/RHSA-2025:10219
Comment 25 errata-xmlrpc 2025-07-09 04:04:21 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.17

Via RHSA-2025:10294 https://access.redhat.com/errata/RHSA-2025:10294