Hello Rainer - Can you please confirm that the input in the following configuration snippet is NOT vulnerable…
module(load=“imptcp") input( type="imptcp" name="userdata" port="5140" ruleset="userdata_input" supportoctetcountedframing="no" ) Thanks, > On May 5, 2022, at 07:11, Rainer Gerhards via rsyslog > <[email protected]> wrote: > > Dear List, > > there is heap buffer overflow vulnerability in rsyslog tcp reception > components, most notably imtcp and imptcp. This can only happen in > octet-counted mode, which is enabled by default. > > If the receiver ports are exposed to the public Internet AND are used > without authentication, this can lead to remote DoS and potentially to > remote code execution. It is unclear if remote code execution is > actually possible. If so, it needs a very sophisticated attack. > > When syslog best practices with proper firewalling and authentication > is used, thean attack can only be carried out from within the Intranet > and authorized systems. This limits the severity of the vulnerability > considerably (it would obviously require an attacker already to be > present inside the internal network). > > Advisory: > https://github.com/rsyslog/rsyslog/security/advisories/GHSA-ggw7-xr6h-mmr8#advisory-comment-72243 > > A patch is available, updated packages are already available or will > be within the next few hours. The daily stable will contain the patch > later today. > > Credits to Peter Agten for initially reporting the issue and working > with us on the resolution. > > Rainer > _______________________________________________ > rsyslog mailing list > https://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com/professional-services/ > What's up with rsyslog? Follow https://twitter.com/rgerhards > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of > sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T > LIKE THAT. _______________________________________________ rsyslog mailing list https://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
