Skip to main content


What is GHOST?What is GHOST?

GHOST (CVE-2015-0235) is a buffer overflow vulnerability in the GLIBC2 system library. Within that library the gethostbyname() and gethostbyname2() functions are vulnerable. This vulnerability makes it possible for attackers to execute code on a vulnerable system. This could be used to remotely install cyber-espionage malware or turn machines into botnet "zombies" that execute DDoS attacks on-demand.  

What is GLIBC?

Glibc is a commonly used system library on Linux servers. This means any program that links to this library and calls either of the two vulnerable “get host” functions is vulnerable.

What systems are vulnerable?

The vulnerability known as GHOST impacts Linux systems using glibc version 2.

Why is this vulnerability so wide-spread?

This is yet another example, like Heartbleed and Shellshock, of a widely-used open source component that is quite vulnerable. Most applications are assembled from reusable components, or as in this case rely on shared components for basic functionality. Thus, it is critical to quickly find all the applications where a vulnerable component is used. The most effective way to accomplish this is typically with a combination of SAST, DAST, software composition analysis and web application perimeter monitoring.

How long has this vulnerability existed?

It appears this vulnerability has existed since late 2000.

Everything You Need to Know About Maturing an AppSec Program

Learn best practices from the pros at Veracode.

Get the Handbook

Why should you pay attention?

This is a serious vulnerability because there is a high impact when exploited, is very widespread and has the potential to allow the remote execution of malicious code. At this point we don’t know how widespread GHOST is, however it's widespread enough that IT operations teams at many companies are now scrambling to find all instances so they can patch them ASAP.

Who should pay attention?

Any organization using Linux servers or desktop systems.

What can you do to protect your company’s data?

The first step a company can take is to understand which applications are calling the vulnerable service. From there enterprises can prioritize which Linux hosts should be scrutinized and patched. 

Is there a patch?

Yes, a patch was made available in May 2013. However, because the patch was not issued as a security advisory, many security teams missed the alert.

Where can I find the patch?

To find the patch go to the distribution site of your operating system or distribution provider, for example Red Hat. 

Ultimate Guide to Getting Started With AppSec

Learn best practices from the pros at Veracode.

Get the Handbook