octet counting is an unusual enough use case, I would suggest that distros
consider disabling it by default (for new installs, not changing existng
installs)
David Lang
On Thu, 5 May 2022, John Chivian via rsyslog wrote:
Date: Thu, 5 May 2022 13:31:19 -0500
From: John Chivian via rsyslog <rsyslog@lists.adiscon.com>
To: rsyslog-users <rsyslog@lists.adiscon.com>
Cc: John Chivian <jchiv...@chivian.com>
Subject: Re: [rsyslog] rsyslog security vulnerability in versions < 8.2204.1
Hello Rainer -
Can you please confirm that the input in the following configuration snippet
is NOT vulnerable…
module(load=“imptcp")
input(
type="imptcp"
name="userdata"
port="5140"
ruleset="userdata_input"
supportoctetcountedframing="no"
)
Thanks,
On May 5, 2022, at 07:11, Rainer Gerhards via rsyslog
<rsyslog@lists.adiscon.com> wrote:
Dear List,
there is heap buffer overflow vulnerability in rsyslog tcp reception
components, most notably imtcp and imptcp. This can only happen in
octet-counted mode, which is enabled by default.
If the receiver ports are exposed to the public Internet AND are used
without authentication, this can lead to remote DoS and potentially to
remote code execution. It is unclear if remote code execution is
actually possible. If so, it needs a very sophisticated attack.
When syslog best practices with proper firewalling and authentication
is used, thean attack can only be carried out from within the Intranet
and authorized systems. This limits the severity of the vulnerability
considerably (it would obviously require an attacker already to be
present inside the internal network).
Advisory:
https://github.com/rsyslog/rsyslog/security/advisories/GHSA-ggw7-xr6h-mmr8#advisory-comment-72243
A patch is available, updated packages are already available or will
be within the next few hours. The daily stable will contain the patch
later today.
Credits to Peter Agten for initially reporting the issue and working
with us on the resolution.
Rainer
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
