Bug 1658366 (CVE-2018-16881)
| Summary: | CVE-2018-16881 rsyslog: imptcp: integer overflow when Octet-Counted TCP Framing is enabled | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Laura Pardo <lpardo> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED ERRATA | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | unspecified | CC: | abhgupta, bmcclain, dapospis, dbaker, dblechte, dfediuck, ebenes, eedri, jlieskov, jokerman, jvymazal, lkundrak, mah.darade, mark, mgoldboi, michal.skrivanek, pvrabec, rmeggins, rsroka, sbonazzo, sbroz, security-response-team, sherold, sthangav, tosykora, trankin, yidegef182, yturgema |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | rsyslog 8.27.0 | Doc Type: | If docs needed, set a value |
| Doc Text: |
A denial of service vulnerability was found in rsyslog in the imptcp module. An attacker could send a specially crafted message to the imptcp socket, which would cause rsyslog to crash.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2019-08-06 13:20:58 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 1659316, 1669364, 1669365 | ||
| Bug Blocks: | 1658368 | ||
This vulnerability appears to have been introduced in upstream commit 6c52f29d59, which was first included in release 8.13.1.
> optimized payload-copy in processDataRcvd for octate-counted frames (as length is pre-known, it is possible to avoid coping char by char, as opposed to octate-stuffed frames).
Acknowledgments: Name: Joel Miller (Pennsylvania Higher Education Assistance Agency) Mitigation: This vulnerability requires the "imptcp" module to be enabled, and listening on a port that can potentially be reached by attackers. This module is not enabled by default in Red Hat Enterprise Linux 7. To check if imptcp is enabled, look for the string `$InputPTCPServerRun`in your rsyslog configuration. shouldn't it say imtcp (instead of imptcp)? (In reply to Mark D. Foster from comment #12) > shouldn't it say imtcp (instead of imptcp)? No, there are two separate rsyslog plugins, imtcp adn imptcp (sort of simplified version), this bug concerns the latter one. This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2019:2110 https://access.redhat.com/errata/RHSA-2019:2110 This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2018-16881 This issue has been addressed in the following products: Red Hat Virtualization 4 for Red Hat Enterprise Linux 7 Via RHSA-2019:2437 https://access.redhat.com/errata/RHSA-2019:2437 This issue has been addressed in the following products: Red Hat Virtualization 4 for Red Hat Enterprise Linux 7 Via RHSA-2019:2439 https://access.redhat.com/errata/RHSA-2019:2439 The https://www.myexamcollection.com/312-50v12-vce-questions.htm is one of the most difficult and important exams in the cyber security industry. It tests a variety of topics related to the security of both physical and digital networks. This exam is offered by EC-Council and is an essential part of the Certified Ethical Hacker (CEH) certification program. The exam comprises of 125 multiple-choice questions and is timed for three hours. The needinfo request[s] on this closed bug have been removed as they have been unresolved for 120 days |
An issue was found in rsyslog. When imtcp module and Octet-Counted TCP Framing ("on" by default) are enabled, Rsyslog can be crashed remotely when sending an crafted (improperly formatted) message to "imptcp" listening socket. Upstream Patch: https://github.com/rsyslog/rsyslog/commit/0381a0de64a5a048c3d48b79055bd9848d0c7fc2