Bug 1032572
Summary: | rsyslog: remote DoS when imgssapi module is enabled | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Ratul Gupta <ratulg> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED CURRENTRELEASE | QA Contact: | |
Severity: | low | Docs Contact: | |
Priority: | low | ||
Version: | unspecified | CC: | jkurik, jlieskov, lkundrak, mah.darade, theinric |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | rsyslog 6.1.5 | Doc Type: | Bug Fix |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2014-09-18 20:09:23 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 1032575 | ||
Bug Blocks: | 1032578 |
Description
Ratul Gupta
2013-11-20 12:20:51 UTC
Created rsyslog tracking bugs for this issue: Affects: fedora-all [bug 1032575] This issue does not affect rsyslog as shipped with Fedora 19 and 20 (7.2.6). It does affect the version of ryslog5 as shipped with Red Hat Enterprise Linux 5 (but not rsyslog 3.x). It does affect rsyslog on Red Hat Enterprise Linux 6, but was fixed in 5.8.10-8.el6 (released with 6.5): * Wed Aug 14 2013 Tomas Heinrich <theinric> 5.8.10-8 ... - add a patch to prevent a segfault in gssapi resolves: #862517 A simple workaround for those using GSSAPI with rsyslog is to use iptables to restrict incoming connections to trusted machines only. It's not a perfect work-around (one could telnet to the rsyslog listening port from one of the trusted machines and cause a crash), but it would seriously reduce the attack surface. This was corrected upstream here: http://git.adiscon.com/?p=rsyslog.git;a=commitdiff;h=bea499dcb2747d1f5b42eae4978cfe86a37dc957#patch3 Interestingly, it looks like it was a side-effect of improving some TLS features. This is fixed in Red Hat Enterprise Linux 6 via RHBA-2013:1716: https://rhn.redhat.com/errata/RHBA-2013-1716.html * The imgssapi module is initialized as soon as the configuration file reader encounters the $InputGSSServerRun directive in the /etc/rsyslog.conf configuration file. The supplementary options configured after $InputGSSServerRun are therefore ignored. For configuration to take effect, all imgssapi configuration options must be placed before $InputGSSServerRun. Previously, when this order was reversed, the rsyslogd daemon terminated unexpectedly with a segmentation fault. This bug has been fixed, and rsyslogd no longer crashes in the described scenario. (BZ#862517) The upstream git commit, according to the changelog, was fixed in 6.1.5. |