Bug 24342 - rsyslog new security issue CVE-2018-16881
Summary: rsyslog new security issue CVE-2018-16881
Status: NEW
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 6
Hardware: All Linux
Priority: Normal major
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2019-02-10 22:54 CET by David Walser
Modified: 2019-02-11 15:00 CET (History)
1 user (show)

See Also:
Source RPM: rsyslog-8.16.0-1.1.mga6.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2019-02-10 22:54:38 CET
openSUSE has issued an advisory on February 8:
https://lists.opensuse.org/opensuse-updates/2019-02/msg00043.html

The upstream fix is already included in the version in Cauldron.

Patched package uploaded for Mageia 6.

Advisory:
========================

Updated rsyslog packages fix security vulnerability:

A denial of service vulnerability was found in rsyslog in the imptcp module.
An attacker could send a specially crafted message to the imptcp socket, which
would cause rsyslog to crash (CVE-2018-16881).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16881
https://lists.opensuse.org/opensuse-updates/2019-02/msg00043.html
========================

Updated packages in core/updates_testing:
========================
rsyslog-8.16.0-1.2.mga6
rsyslog-mysql-8.16.0-1.2.mga6
rsyslog-pgsql-8.16.0-1.2.mga6
rsyslog-gssapi-8.16.0-1.2.mga6
rsyslog-relp-8.16.0-1.2.mga6
rsyslog-dbi-8.16.0-1.2.mga6
rsyslog-snmp-8.16.0-1.2.mga6
rsyslog-gnutls-8.16.0-1.2.mga6
rsyslog-crypto-8.16.0-1.2.mga6
rsyslog-elasticsearch-8.16.0-1.2.mga6
rsyslog-journald-8.16.0-1.2.mga6

from rsyslog-8.16.0-1.2.mga6.src.rpm
Comment 1 Herman Viaene 2019-02-11 15:00:12 CET
MGA6-32 MATE on IBM Thinkpad R50e
No installation issues
Ref to bug 14206 for test:
# systemctl  start rsyslog
# systemctl  -l status rsyslog
● rsyslog.service - System Logging Service
   Loaded: loaded (/usr/lib/systemd/system/rsyslog.service; enabled; vendor preset: enabled)
   Active: active (running) since ma 2019-02-11 14:38:40 CET; 20s ago
     Docs: man:rsyslogd(8)
           http://www.rsyslog.com/doc/
 Main PID: 24378 (rsyslogd)
   CGroup: /system.slice/rsyslog.service
           └─24378 /sbin/rsyslogd -n

feb 11 14:38:38 mach6.hviaene.thuis systemd[1]: Starting System Logging Service...
feb 11 14:38:40 mach6.hviaene.thuis systemd[1]: Started System Logging Service.

then on remote desktop:
logger -n <rsyslog host> --prio-prefix '<201>' testlogmessage

and I get here:
# tail /var/log/syslog
Feb 11 14:39:09 mach6 kernel: [ 8573.991927] Shorewall:net-fw:DROP:IN=enp2s8 OUT= MAC=00:0a:e4:c3:73:39:c8:60:00:da:37:ff:08:00 SRC=192.168.2.1 DST=192.168.2.6 LEN=156 TOS=0x00 PREC=0x00 TTL=64 ID=30856 DF PROTO=UDP SPT=49941 DPT=514 LEN=136 
So shorewall intercepted the message on port 514
Opened 514/udp in MCC, entered same command in remote desktop and got
# tail /var/log/syslog
Feb 11 14:55:25 mach6 root: Shorewall started
Feb 11 14:55:25 mach6 shorewall[27884]: done.
Feb 11 14:55:25 mach6 systemd[1]: Started Shorewall IPv4 firewall.
Feb 11 14:55:25 mach6 systemd[1]: Started Network monitoring daemon (Interactive Firewall and wireless).
Feb 11 14:55:25 mach6 root: Shorewall started
Feb 11 14:55:25 mach6 shorewall: done.
Feb 11 14:55:25 mach6 systemd: Started Shorewall IPv4 firewall.
Feb 11 14:55:25 mach6 systemd: Started Network monitoring daemon (Interactive Firewall and wireless).
Feb 11 14:55:34 mach6 mandi[28112]: skipping known address: 192.168.2.1
Feb 11 14:55:34 mach6 mandi: skipping known address: 192.168.2.1
but no message showing up.
repeated same test after switching off firewall completely, but still no message showing up.

CC: (none) => herman.viaene


Note You need to log in before you can comment on or make changes to this bug.