Agreed. Unexpected octet counting of rawmsg can also cause other problems. Best to disable by default.
Thanks all! > On May 5, 2022, at 14:04, David Lang <da...@lang.hm> wrote: > > octet counting is an unusual enough use case, I would suggest that distros > consider disabling it by default (for new installs, not changing existng > installs) > > David Lang > > On Thu, 5 May 2022, John Chivian via rsyslog wrote: > >> Date: Thu, 5 May 2022 13:31:19 -0500 >> From: John Chivian via rsyslog <rsyslog@lists.adiscon.com> >> To: rsyslog-users <rsyslog@lists.adiscon.com> >> Cc: John Chivian <jchiv...@chivian.com> >> Subject: Re: [rsyslog] rsyslog security vulnerability in versions < 8.2204.1 >> Hello Rainer - >> >> Can you please confirm that the input in the following configuration >> snippet is NOT vulnerable… >> >> module(load=“imptcp") >> input( >> type="imptcp" >> name="userdata" >> port="5140" >> ruleset="userdata_input" >> supportoctetcountedframing="no" >> ) >> >> Thanks, >> >> >> >>> On May 5, 2022, at 07:11, Rainer Gerhards via rsyslog >>> <rsyslog@lists.adiscon.com> wrote: >>> Dear List, >>> there is heap buffer overflow vulnerability in rsyslog tcp reception >>> components, most notably imtcp and imptcp. This can only happen in >>> octet-counted mode, which is enabled by default. >>> If the receiver ports are exposed to the public Internet AND are used >>> without authentication, this can lead to remote DoS and potentially to >>> remote code execution. It is unclear if remote code execution is >>> actually possible. If so, it needs a very sophisticated attack. >>> When syslog best practices with proper firewalling and authentication >>> is used, thean attack can only be carried out from within the Intranet >>> and authorized systems. This limits the severity of the vulnerability >>> considerably (it would obviously require an attacker already to be >>> present inside the internal network). >>> Advisory: >>> https://github.com/rsyslog/rsyslog/security/advisories/GHSA-ggw7-xr6h-mmr8#advisory-comment-72243 >>> A patch is available, updated packages are already available or will >>> be within the next few hours. The daily stable will contain the patch >>> later today. >>> Credits to Peter Agten for initially reporting the issue and working >>> with us on the resolution. >>> Rainer >>> _______________________________________________ >>> rsyslog mailing list >>> https://lists.adiscon.net/mailman/listinfo/rsyslog >>> http://www.rsyslog.com/professional-services/ >>> What's up with rsyslog? Follow https://twitter.com/rgerhards >>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of >>> sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T >>> LIKE THAT. >> >> _______________________________________________ >> rsyslog mailing list >> https://lists.adiscon.net/mailman/listinfo/rsyslog >> http://www.rsyslog.com/professional-services/ >> What's up with rsyslog? Follow https://twitter.com/rgerhards >> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of >> sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T >> LIKE THAT. _______________________________________________ rsyslog mailing list https://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
