MidnightBSD

Advisories for rsyslog

CVE-2005-3074 HIGH

SQL injection vulnerability in rsyslogd in RSyslog before 1.0.1 and before 1.10.1 allows remote attackers to execute arbitrary SQL commands via crafted syslog messages.

CVSS 2.0

Severity: HIGH

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
rsyslog rsyslogd *
rsyslog rsyslogd 0.8.2_stable
rsyslog rsyslogd 0.9.4_stable
rsyslog rsyslogd 0.9.8_stable
rsyslog rsyslogd 0.9.5_stable
rsyslog rsyslogd 1.0.0_stable
rsyslog rsyslogd 0.8.3_stable
rsyslog rsyslogd 0.8.1_stable
rsyslog rsyslogd 0.9.7_stable
rsyslog rsyslogd 0.9.1_stable
rsyslog rsyslogd 0.9.6_stable
rsyslog rsyslogd 0.8.0_stable
rsyslog rsyslogd 0.8.4_stable
rsyslog rsyslogd 0.9.0_stable
rsyslog rsyslogd 0.9.3_stable
rsyslog rsyslogd 0.9.2_stable
CVE-2011-3200 MEDIUM

Stack-based buffer overflow in the parseLegacySyslogMsg function in tools/syslogd.c in rsyslogd in rsyslog 4.6.x before 4.6.8 and 5.2.0 through 5.8.4 might allow remote attackers to cause a denial of service (application exit) via a long TAG in a legacy syslog message.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-119,

Products Affected

Vendor Product Version
rsyslog rsyslog 5.7.1
rsyslog rsyslog 4.6.0
rsyslog rsyslog 5.8.3
rsyslog rsyslog 5.3.6
rsyslog rsyslog 5.5.6
rsyslog rsyslog 5.2.1
rsyslog rsyslog 5.2.0
rsyslog rsyslog 5.6.4
rsyslog rsyslog 5.3.4
rsyslog rsyslog 5.8.4
rsyslog rsyslog 5.5.5
rsyslog rsyslog 5.4.0
rsyslog rsyslog 5.5.1
rsyslog rsyslog 5.6.0
rsyslog rsyslog 4.6.6
rsyslog rsyslog 5.7.4
rsyslog rsyslog 5.4.1
rsyslog rsyslog 5.3.5
rsyslog rsyslog 4.6.1
rsyslog rsyslog 5.5.4
rsyslog rsyslog 5.7.3
rsyslog rsyslog 5.7.6
rsyslog rsyslog 5.7.5
rsyslog rsyslog 5.7.8
rsyslog rsyslog 5.8.1
rsyslog rsyslog 5.7.10
rsyslog rsyslog 5.3.1
rsyslog rsyslog 5.8.0
rsyslog rsyslog 5.7.2
rsyslog rsyslog 4.6.4
rsyslog rsyslog 5.7.7
rsyslog rsyslog 5.3.3
rsyslog rsyslog 5.3.7
rsyslog rsyslog 5.6.5
rsyslog rsyslog 5.6.1
rsyslog rsyslog 5.6.3
rsyslog rsyslog 5.5.0
rsyslog rsyslog 5.4.2
rsyslog rsyslog 4.6.3
rsyslog rsyslog 5.7.9
rsyslog rsyslog 4.6.2
rsyslog rsyslog 4.6.7
rsyslog rsyslog 5.2.2
rsyslog rsyslog 5.7.0
rsyslog rsyslog 5.5.2
rsyslog rsyslog 5.8.2
rsyslog rsyslog 4.6.5
rsyslog rsyslog 5.5.3
rsyslog rsyslog 5.3.2
rsyslog rsyslog 5.6.2
rsyslog rsyslog 5.5.7
CVE-2011-4623 LOW

Integer overflow in the rsCStrExtendBuf function in runtime/stringbuf.c in the imfile module in rsyslog 4.x before 4.6.6, 5.x before 5.7.4, and 6.x before 6.1.4 allows local users to cause a denial of service (daemon hang) via a large file, which triggers a heap-based buffer overflow.

CVSS 2.0

Severity: LOW

Problem Type: CWE-189,

Products Affected

Vendor Product Version
rsyslog rsyslog 5.7.1
rsyslog rsyslog 4.5.5
rsyslog rsyslog 4.6.0
rsyslog rsyslog 4.1.6
rsyslog rsyslog 5.3.6
rsyslog rsyslog 5.5.6
rsyslog rsyslog 5.2.1
rsyslog rsyslog 4.2.0
rsyslog rsyslog 4.5.3
rsyslog rsyslog 5.2.0
rsyslog rsyslog 5.1.0
rsyslog rsyslog 4.3.2
rsyslog rsyslog 5.6.4
rsyslog rsyslog 6.1.2
rsyslog rsyslog 4.1.2
rsyslog rsyslog 5.3.4
rsyslog rsyslog 4.4.2
rsyslog rsyslog 4.1.3
rsyslog rsyslog 4.3.0
rsyslog rsyslog 5.1.1
rsyslog rsyslog 5.5.5
rsyslog rsyslog 5.4.0
rsyslog rsyslog 5.5.1
rsyslog rsyslog 5.6.0
rsyslog rsyslog 4.4.0
rsyslog rsyslog 6.1.3
rsyslog rsyslog 4.3.1
rsyslog rsyslog 6.1.0
rsyslog rsyslog 5.4.1
rsyslog rsyslog 4.5.1
rsyslog rsyslog 4.1.5
rsyslog rsyslog 4.1.7
rsyslog rsyslog 5.3.5
rsyslog rsyslog 4.6.1
rsyslog rsyslog 5.5.4
rsyslog rsyslog 5.7.3
rsyslog rsyslog 4.4.1
rsyslog rsyslog 4.5.8
rsyslog rsyslog 4.5.2
rsyslog rsyslog 5.3.1
rsyslog rsyslog 5.7.2
rsyslog rsyslog 4.6.4
rsyslog rsyslog 6.1.1
rsyslog rsyslog 5.1.4
rsyslog rsyslog 5.3.3
rsyslog rsyslog 5.3.7
rsyslog rsyslog 5.6.5
rsyslog rsyslog 5.1.2
rsyslog rsyslog 5.1.6
rsyslog rsyslog 5.6.1
rsyslog rsyslog 4.5.7
rsyslog rsyslog 5.6.3
rsyslog rsyslog 5.5.0
rsyslog rsyslog 4.1.1
rsyslog rsyslog 5.4.2
rsyslog rsyslog 4.6.3
rsyslog rsyslog 4.6.2
rsyslog rsyslog 5.2.2
rsyslog rsyslog 4.1.0
rsyslog rsyslog 4.1.4
rsyslog rsyslog 5.7.0
rsyslog rsyslog 4.5.4
rsyslog rsyslog 5.5.2
rsyslog rsyslog 4.5.0
rsyslog rsyslog 4.6.5
rsyslog rsyslog 5.5.3
rsyslog rsyslog 5.3.2
rsyslog rsyslog 5.6.2
rsyslog rsyslog 5.1.5
rsyslog rsyslog 5.1.3
rsyslog rsyslog 5.5.7
rsyslog rsyslog 4.5.6
CVE-2013-4758 MEDIUM

Double free vulnerability in the writeDataError function in the ElasticSearch plugin (omelasticsearch) in rsyslog before 7.4.2 and before 7.5.2 devel, when errorfile is set to local logging, allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted JSON response.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-399,

Products Affected

Vendor Product Version
rsyslog rsyslog 7.3.10
rsyslog rsyslog 7.3.7
rsyslog rsyslog 7.1.0
rsyslog rsyslog 7.1.2
rsyslog rsyslog 7.2.1
rsyslog rsyslog 7.3.4
rsyslog rsyslog 7.3.14
rsyslog rsyslog 7.2.4
rsyslog rsyslog 7.3.1
rsyslog rsyslog 7.1.9
rsyslog rsyslog 7.3.8
rsyslog rsyslog 7.1.10
rsyslog rsyslog 7.4.0
rsyslog rsyslog 7.1.5
rsyslog rsyslog 7.1.7
rsyslog rsyslog 7.3.5
rsyslog rsyslog 6.6.0
rsyslog rsyslog 7.2.3
rsyslog rsyslog 7.2.7
rsyslog rsyslog 7.3.15
rsyslog rsyslog 7.5.0
rsyslog rsyslog 7.1.12
rsyslog rsyslog 7.3.9
rsyslog rsyslog 6.4.2
rsyslog rsyslog 7.1.3
rsyslog rsyslog 7.1.4
rsyslog rsyslog 7.2.6
rsyslog rsyslog 7.1.8
rsyslog rsyslog 7.3.0
rsyslog rsyslog 7.3.3
rsyslog rsyslog 6.5.1
rsyslog rsyslog 7.3.12
rsyslog rsyslog 7.1.11
rsyslog rsyslog 7.1.6
rsyslog rsyslog *
rsyslog rsyslog 7.3.13
rsyslog rsyslog 7.2.5
rsyslog rsyslog 7.3.11
rsyslog rsyslog 7.2.2
rsyslog rsyslog 7.1.1
rsyslog rsyslog 7.3.6
CVE-2014-3634 HIGH

rsyslog before 7.6.6 and 8.x before 8.4.1 and sysklogd 1.5 and earlier allows remote attackers to cause a denial of service (crash), possibly execute arbitrary code, or have other unspecified impact via a crafted priority (PRI) value that triggers an out-of-bounds array access.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-119,

Products Affected

Vendor Product Version
sysklogd_project sysklogd 1.2
rsyslog rsyslog 8.3.1
rsyslog rsyslog 8.3.2
rsyslog rsyslog 8.1.0
rsyslog rsyslog 8.3.0
rsyslog rsyslog 8.1.1
rsyslog rsyslog 8.1.4
rsyslog rsyslog 8.3.3
rsyslog rsyslog 8.3.4
sysklogd_project sysklogd *
rsyslog rsyslog 8.2.1
sysklogd_project sysklogd 1.4.1
rsyslog rsyslog 8.3.5
rsyslog rsyslog 8.2.2
rsyslog rsyslog 8.2.0
rsyslog rsyslog 8.1.2
rsyslog rsyslog 8.1.5
rsyslog rsyslog 8.1.3
rsyslog rsyslog 8.2.3
rsyslog rsyslog *
rsyslog rsyslog 8.1.6
rsyslog rsyslog 8.4.0
sysklogd_project sysklogd 1.1
sysklogd_project sysklogd 1.3
sysklogd_project sysklogd 1.4
CVE-2014-3683 MEDIUM

Integer overflow in rsyslog before 7.6.7 and 8.x before 8.4.2 and sysklogd 1.5 and earlier allows remote attackers to cause a denial of service (crash) via a large priority (PRI) value. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-3634.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-189,

Products Affected

Vendor Product Version
sysklogd_project sysklogd 1.2
rsyslog rsyslog 8.3.1
rsyslog rsyslog 8.3.2
rsyslog rsyslog 8.1.0
rsyslog rsyslog 8.4.1
rsyslog rsyslog 8.3.0
rsyslog rsyslog 8.1.1
rsyslog rsyslog 8.1.4
rsyslog rsyslog 8.3.3
rsyslog rsyslog 8.3.4
sysklogd_project sysklogd *
rsyslog rsyslog 8.2.1
sysklogd_project sysklogd 1.4.1
rsyslog rsyslog 8.3.5
rsyslog rsyslog 8.2.2
rsyslog rsyslog 8.2.0
rsyslog rsyslog 8.1.2
rsyslog rsyslog 8.1.5
rsyslog rsyslog 8.1.3
rsyslog rsyslog 8.2.3
rsyslog rsyslog *
rsyslog rsyslog 8.1.6
rsyslog rsyslog 8.4.0
sysklogd_project sysklogd 1.1
sysklogd_project sysklogd 1.3
sysklogd_project sysklogd 1.4
CVE-2015-3243 LOW

rsyslog uses weak permissions for generating log files, which allows local users to obtain sensitive information by reading files in /var/log/cron.

CVSS 2.0

Severity: LOW

Problem Type: CWE-532,

Products Affected

Vendor Product Version
rsyslog rsyslog -
CVE-2017-12588 HIGH

The zmq3 input and output modules in rsyslog before 8.28.0 interpreted description fields as format strings, possibly allowing a format string attack with unspecified impact.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-134,

Products Affected

Vendor Product Version
rsyslog rsyslog *
CVE-2018-1000140 HIGH

rsyslog librelp version 1.2.14 and earlier contains a Buffer Overflow vulnerability in the checking of x509 certificates from a peer that can result in Remote code execution. This attack appear to be exploitable a remote attacker that can connect to rsyslog and trigger a stack buffer overflow by sending a specially crafted x509 certificate.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-787,

Products Affected

Vendor Product Version
redhat enterprise_linux_server_eus 6.7
redhat enterprise_linux_server_tus 7.4
redhat enterprise_linux_server 7.0
redhat enterprise_linux_desktop 6.0
debian debian_linux 9.0
redhat enterprise_linux_server_tus 7.2
redhat enterprise_linux_workstation 6.0
rsyslog librelp *
redhat enterprise_linux_server_aus 7.2
redhat enterprise_linux_server_aus 7.3
redhat enterprise_linux_server_tus 7.3
redhat enterprise_linux_server_aus 7.6
redhat enterprise_linux_server_eus 7.6
redhat enterprise_linux_server_aus 7.4
canonical ubuntu_linux 14.04
redhat enterprise_linux_desktop 7.0
redhat enterprise_linux_server_eus 7.5
redhat enterprise_linux_server_eus 7.3
redhat enterprise_linux_workstation 7.0
redhat enterprise_linux_server_tus 7.6
redhat enterprise_linux_server 6.0
redhat enterprise_linux_server_aus 6.6
redhat enterprise_linux_server_eus 7.4
redhat enterprise_linux_server_tus 6.6
debian debian_linux 8.0
CVE-2018-16881 MEDIUM

A denial of service vulnerability was found in rsyslog in the imptcp module. An attacker could send a specially crafted message to the imptcp socket, which would cause rsyslog to crash. Versions before 8.27.0 are vulnerable.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-190,CWE-190,

Products Affected

Vendor Product Version
redhat enterprise_linux_for_ibm_z_systems 7.0
redhat enterprise_linux_for_scientific_computing 7.0
redhat enterprise_linux_for_power_little_endian 7.0
redhat enterprise_linux_server 7.0
redhat virtualization_manager 4.3
debian debian_linux 9.0
redhat virtualization 4.0
redhat enterprise_linux_for_power_big_endian 7.0
redhat enterprise_linux_desktop 7.0
redhat virtualization_host 4.0
rsyslog rsyslog *
redhat enterprise_linux_workstation 7.0
CVE-2019-17040 HIGH

contrib/pmdb2diag/pmdb2diag.c in Rsyslog v8.1908.0 allows out-of-bounds access because the level length is mishandled.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-125,

Products Affected

Vendor Product Version
rsyslog rsyslog 8.1908.0
CVE-2019-17041 HIGH

An issue was discovered in Rsyslog v8.1908.0. contrib/pmaixforwardedfrom/pmaixforwardedfrom.c has a heap overflow in the parser for AIX log messages. The parser tries to locate a log message delimiter (in this case, a space or a colon) but fails to account for strings that do not satisfy this constraint. If the string does not match, then the variable lenMsg will reach the value zero and will skip the sanity check that detects invalid log messages. The message will then be considered valid, and the parser will eat up the nonexistent colon delimiter. In doing so, it will decrement lenMsg, a signed integer, whose value was zero and now becomes minus one. The following step in the parser is to shift left the contents of the message. To do this, it will call memmove with the right pointers to the target and destination strings, but the lenMsg will now be interpreted as a huge value, causing a heap overflow.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-787,

Products Affected

Vendor Product Version
fedoraproject fedora 30
debian debian_linux 9.0
opensuse leap 15.0
rsyslog rsyslog 8.1908.0
opensuse leap 15.1
fedoraproject fedora 31
CVE-2019-17042 HIGH

An issue was discovered in Rsyslog v8.1908.0. contrib/pmcisconames/pmcisconames.c has a heap overflow in the parser for Cisco log messages. The parser tries to locate a log message delimiter (in this case, a space or a colon), but fails to account for strings that do not satisfy this constraint. If the string does not match, then the variable lenMsg will reach the value zero and will skip the sanity check that detects invalid log messages. The message will then be considered valid, and the parser will eat up the nonexistent colon delimiter. In doing so, it will decrement lenMsg, a signed integer, whose value was zero and now becomes minus one. The following step in the parser is to shift left the contents of the message. To do this, it will call memmove with the right pointers to the target and destination strings, but the lenMsg will now be interpreted as a huge value, causing a heap overflow.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-20,

Products Affected

Vendor Product Version
fedoraproject fedora 30
debian debian_linux 9.0
opensuse leap 15.0
rsyslog rsyslog 8.1908.0
opensuse leap 15.1
fedoraproject fedora 31
CVE-2022-24903 MEDIUM

Rsyslog is a rocket-fast system for log processing. Modules for TCP syslog reception have a potential heap buffer overflow when octet-counted framing is used. This can result in a segfault or some other malfunction. As of our understanding, this vulnerability can not be used for remote code execution. But there may still be a slight chance for experts to do that. The bug occurs when the octet count is read. While there is a check for the maximum number of octets, digits are written to a heap buffer even when the octet count is over the maximum, This can be used to overrun the memory buffer. However, once the sequence of digits stop, no additional characters can be added to the buffer. In our opinion, this makes remote exploits impossible or at least highly complex. Octet-counted framing is one of two potential framing modes. It is relatively uncommon, but enabled by default on receivers. Modules `imtcp`, `imptcp`, `imgssapi`, and `imhttp` are used for regular syslog message reception. It is best practice not to directly expose them to the public. When this practice is followed, the risk is considerably lower. Module `imdiag` is a diagnostics module primarily intended for testbench runs. We do not expect it to be present on any production installation. Octet-counted framing is not very common. Usually, it needs to be specifically enabled at senders. If users do not need it, they can turn it off for the most important modules. This will mitigate the vulnerability.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-120,CWE-1284,

Products Affected

Vendor Product Version
debian debian_linux 10.0
netapp active_iq_unified_manager -
fedoraproject fedora 35
rsyslog rsyslog *
debian debian_linux 9.0
debian debian_linux 11.0