Experiencing a Breach?Blog
Get StartedContact Us
SentinelOne
Get StartedContact Us
CVE Vulnerability Database
Vulnerability Database/CVE-2022-23219

CVE-2022-23219: GNU Glibc Buffer Overflow Vulnerability

CVE-2022-23219 is a buffer overflow flaw in GNU Glibc's clnt_create function that allows attackers to trigger denial of service or execute arbitrary code. This article covers technical details, affected versions, and mitigations.

Published:

CVE-2022-23219 Overview

CVE-2022-23219 is a buffer overflow vulnerability in the deprecated compatibility function clnt_create within the sunrpc module of the GNU C Library (glibc) through version 2.34. The function copies its hostname argument onto the stack without properly validating the length of the input, creating a classic stack-based buffer overflow condition. This vulnerability can result in denial of service and, in cases where applications are not compiled with stack protector mitigations enabled, may allow arbitrary code execution.

Critical Impact

Unauthenticated remote attackers can exploit this buffer overflow to crash applications or potentially execute arbitrary code on systems running vulnerable versions of glibc without stack protection.

Affected Products

  • GNU glibc (versions through 2.34)
  • Oracle Communications Cloud Native Core Binding Support Function 22.1.3
  • Oracle Communications Cloud Native Core Network Function Cloud Native Environment 22.1.0
  • Oracle Communications Cloud Native Core Network Repository Function 22.1.2, 22.2.0
  • Oracle Communications Cloud Native Core Security Edge Protection Proxy 22.1.1
  • Oracle Communications Cloud Native Core Unified Data Repository 22.2.0
  • Oracle Enterprise Operations Monitor 4.3, 4.4, 5.0
  • Debian Linux 10.0

Discovery Timeline

  • 2022-01-14 - CVE-2022-23219 published to NVD
  • 2025-05-05 - Last updated in NVD database

Technical Details for CVE-2022-23219

Vulnerability Analysis

This vulnerability exists in the deprecated clnt_create function within the sunrpc module, which is part of the Remote Procedure Call (RPC) implementation in glibc. The function is designed to create an RPC client handle for the specified program on a remote host. The core issue stems from inadequate bounds checking when handling the hostname argument.

When clnt_create receives a hostname string, it allocates space on the stack and copies the hostname without first verifying that the input length fits within the allocated buffer. This creates a classic stack-based buffer overflow scenario where an attacker can supply an overly long hostname string to overwrite adjacent stack memory.

The impact of exploitation depends heavily on the compilation options used when building the affected application. Modern systems typically compile applications with stack protector mechanisms (such as -fstack-protector in GCC), which can detect stack buffer overflows and terminate the program before control flow hijacking occurs. However, if an application is built without these protections, the buffer overflow can be leveraged to overwrite the return address on the stack, enabling arbitrary code execution.

Root Cause

The root cause is a missing length validation check in the clnt_create function before performing a stack-based copy operation. The function assumes that hostname arguments will be reasonably sized and does not enforce any maximum length constraint. This is classified as CWE-120 (Buffer Copy without Checking Size of Input), a fundamental memory safety issue in C code where the programmer fails to verify input bounds before copying data into a fixed-size buffer.

Attack Vector

The vulnerability can be exploited remotely over the network by any application that passes user-controlled hostname data to the clnt_create function. An attacker would need to identify an application that:

  1. Uses the vulnerable clnt_create function from glibc
  2. Accepts hostname input from untrusted sources (network, user input, configuration files)
  3. Passes this input without proper sanitization

The attack does not require authentication or user interaction. An attacker supplies a specially crafted oversized hostname string that, when processed by the vulnerable function, overflows the stack buffer. The overflow corrupts adjacent stack memory including potentially the saved return address.

When stack protector is enabled, the canary value is overwritten and detected, causing a controlled crash (denial of service). Without stack protection, the attacker can control the instruction pointer and redirect execution to attacker-controlled code or ROP gadgets.

Detection Methods for CVE-2022-23219

Indicators of Compromise

  • Unexpected application crashes in services using RPC functionality with stack smashing detected errors
  • Segmentation faults in processes linked against glibc's sunrpc module
  • Abnormally long hostname strings in network traffic destined for RPC services
  • Core dumps indicating stack corruption in clnt_create or related RPC functions

Detection Strategies

  • Monitor system logs for stack smashing detected messages that may indicate exploitation attempts
  • Implement application-level input validation to reject hostnames exceeding reasonable length limits (typically 253 characters for valid DNS hostnames)
  • Use memory safety analysis tools during development to identify applications calling clnt_create
  • Deploy network intrusion detection rules to identify anomalously long hostname fields in RPC-related traffic

Monitoring Recommendations

  • Enable crash reporting and analyze core dumps for signs of buffer overflow exploitation
  • Monitor for unusual RPC service behavior including unexpected restarts or terminations
  • Implement application performance monitoring to detect denial of service conditions
  • Review system logs for glibc-related errors in RPC-dependent applications

How to Mitigate CVE-2022-23219

Immediate Actions Required

  • Update glibc to a patched version that addresses CVE-2022-23219
  • Apply vendor patches from Oracle, Debian, and other affected distributions
  • Ensure all applications are compiled with stack protector enabled (-fstack-protector-strong or -fstack-protector-all)
  • Audit applications for usage of the deprecated clnt_create function and migrate to safer alternatives

Patch Information

Vendors have released patches to address this vulnerability. The Sourceware Bug Report #22542 tracks the upstream glibc fix. Organizations should apply the following vendor updates:

Workarounds

  • Implement input validation at the application layer to limit hostname length before passing to RPC functions
  • Compile applications with Address Space Layout Randomization (ASLR) and stack canaries enabled
  • Consider using application sandboxing or containerization to limit the impact of potential exploitation
  • Restrict network access to RPC services to trusted hosts only
bash
# Check glibc version on the system
ldd --version

# Verify stack protector is enabled in compiled binaries
readelf -s /path/to/binary | grep __stack_chk

# Update glibc on Debian-based systems
apt-get update && apt-get upgrade libc6

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Experience the World’s Most Advanced Cybersecurity Platform

Experience the World’s Most Advanced Cybersecurity Platform

See how our intelligent, autonomous cybersecurity platform can protect your organization now and into the future.

Try SentinelOne