CVE-2023-4911 was discovered in glibc's ld.so.
A buffer overflow was discovered in the GNU C Library's dynamic loader ld.so while processing the
GLIBC_TUNABLES environment variable (CVE-2023-4911). This issue could allow a local attacker to use maliciously crafted
GLIBC_TUNABLES environment variables when launching binaries with SUID permission to execute code with elevated privileges.
Call to action
The vulnerability affects the system library. Plesk doesn't ship its own
glibc. So, it is fixed by the system package's update.
OS vendor's advisories should be followed to update the vulnerable library.
These Linux distributions have already published fixes:
- Ubuntu issued fixes for glibc in 22.04, 23.04. Ubuntu 20 (focal) is not vulnerable.
- RHEL 8,9 are fixed.
- Debian 11, 12 issued fixes for glibc.
- AlmaLinux 8 and 9 are fixed.
- Rocky Linux 8 was fixed.