[v2.5] rsyslog: pri vulnerability (CVE-2014-3634, CVE-2014-3683)
CVE-2014-3634 / CVE-2014-3683:
Affected
——–
– rsyslog, most probably all versions (checked 5.8.6+; fixed in 8.4.2,
7.6.7) (all curent Alpine Linux distros)
– sysklogd (checked most recent versions)
– potentially others (see root cause in the References links)
Version 8.4.2 is not vulnerable to the both issues. Version 7.6.7, while no longer being project supported, received a patch and is also not vulnerable.
Patches are available for versions known to be in wide-spread use. Patches for CVE-2014-3634 not fully fix the issue, so CVE-2014-3683 exists for this reason. Versions 8.4.1 and 7.6.6 do NOT handle integer overflows and resulting negative PRI values correctly. So upgrading to them is NOT a sufficient solution. All older v7 and v8 versions are vulnerable. The rsyslog project also provides patches for older versions 5 and 3. This is purely a convenience to those that still run these very outdated versions. Note that these patches address the segfault issue. They do NOT offer all features of the v7/8 series, as this would require considerate code changes. Most importantly, the “invld” facility is not available in the v3 patch. Also, the dead-version patches do not try to assing a specific severity to messages with invalid PRI values nor do they prevent parsing those messages. In general, it is suggested to upgrade to the currently supported version 8.4.2.
References:
http://www.rsyslog.com/remote-syslog-pri-vulnerability-cve-2014-3683/
http://www.rsyslog.com/remote-syslog-pri-vulnerability/
http://seclists.org/oss-sec/2014/q3/863
(from redmine: issue id 3488, created on 2014-10-28, closed on 2014-12-05)
- Relations:
- parent #3487