Bug 1524783 (CVE-2017-10906)

Summary: CVE-2017-10906 fluentd: Escape sequence injection in filter_parser.rb:filter_stream can lead to arbitrary command execution when processing logs
Product: [Other] Security Response Reporter: Sam Fowler <sfowler>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: ahardin, apevec, bleanhar, bmcclain, ccoleman, chrisw, dblechte, dedgar, dmcphers, eedri, jbadiapa, jcantril, jgoulding, jjoyce, jkeck, jokerman, jschluet, kbasil, lars, lhh, lmarsh, lpeer, markmc, mburns, mchappel, mgoldboi, michal.skrivanek, mmagr, mrunge, rbryant, rmccabe, sbonazzo, sclewis, security-response-team, sherold, slinaber, slong, tdecacqu, ykaul
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-06-08 03:33:37 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1552379, 1565212    
Bug Blocks: 1524787    

Description Sam Fowler 2017-12-12 03:55:55 UTC 
Escape sequence injection vulnerability in the filter_parser.rb:filter_stream function of Fluentd versions 0.12.29 through 0.12.40 may allow for unescaped arbitrary command injection to log files and terminal output.

Processing a specially crafted log may allow for arbitrary command exectuion on the device collecting logs.

References:
https://nvd.nist.gov/vuln/detail/CVE-2017-10906
https://github.com/fluent/fluentd/blob/v0.12/CHANGELOG.md#bug-fixes
https://github.com/fluent/fluentd/pull/1733
https://jvn.jp/en/vu/JVNVU95124098/index.html
Comment 8 Andrej Nemec 2018-05-14 12:17:14 UTC 
Statement:

This flaw requires particular preconditions to be exploitable, which are not common in supported deployments of fluentd. The vulnerable system must have all of:

1. A filter_parser enabled in fluentd.conf

2. Fluentd running in non-daemon mode or a bad syslog server that doesn't sanitise escape sequences (rsyslog does)

3. A vulnerable terminal that happens to be running fluentd or manipulating the fluentd log file (for example tailing it)

This issue affects the versions of fluentd as shipped with Red Hat OpenShift Enterprise 3. Red Hat Product Security has rated this issue as having security impact of Moderate. A future update may address this issue. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.
Comment 11 errata-xmlrpc 2018-07-19 13:49:11 UTC 
This issue has been addressed in the following products:

  Red Hat OpenStack Platform 13.0 Operational Tools for RHEL 7

Via RHSA-2018:2225 https://access.redhat.com/errata/RHSA-2018:2225