[rsyslog] security issue in rsyslog

Rainer Gerhards rgerhards at hq.adiscon.com
Thu Dec 4 17:40:43 CET 2008 

3.21.8 has now also been replaced by 3.21.9. As with 3.20.2, links
remain intact. 3.21.8 has probably never been downloaded, but I thought
it is saver to use a new version number, especially as it is a security
issue.

Rainer

> -----Original Message-----
> From: rsyslog-bounces at lists.adiscon.com [mailto:rsyslog-
> bounces at lists.adiscon.com] On Behalf Of Rainer Gerhards
> Sent: Thursday, December 04, 2008 2:48 PM
> To: rsyslog-users
> Subject: Re: [rsyslog] security issue in rsyslog
> 
> OK, 3.20.1 is now re-released as 3.20.2 (there were a few
> downloads...).
> The download link is still correct, it is updated (including the
md5sum
> ;)). 3.21.8 is pulled and I'll restore it next.
> 
> Sorry for the hassle.
> 
> Rainer
> 
> > -----Original Message-----
> > From: rsyslog-bounces at lists.adiscon.com [mailto:rsyslog-
> > bounces at lists.adiscon.com] On Behalf Of Rainer Gerhards
> > Sent: Thursday, December 04, 2008 1:38 PM
> > To: rsyslog-users
> > Subject: Re: [rsyslog] security issue in rsyslog
> >
> > Grrr... One more issue. I noticed that while I resolved some
> conflicts
> > on the devel branch integration. There is an option that a log
> message
> > is emitted by rsyslog itself, when a remote machine's message is
> > discarded due to no permission. This was requested so that people
> know
> > when something goes wrong. This is only in the UDP code.
> >
> > HOWEVER, this is not rate-limited so if someone carries out a heavy
> > attack, he can still flood the local disk by these messages. I'll
> > change
> > it so that the message is emited only once every minute and will
then
> > re-release what already has been released...
> >
> > Rainer
> >
> >
> > > -----Original Message-----
> > > From: rsyslog-bounces at lists.adiscon.com [mailto:rsyslog-
> > > bounces at lists.adiscon.com] On Behalf Of Rainer Gerhards
> > > Sent: Wednesday, December 03, 2008 11:30 AM
> > > To: rsyslog-users
> > > Subject: Re: [rsyslog] security issue in rsyslog
> > >
> > > The memory leak is now also fixed, I just quickly re-run some TLS
> > tests
> > > to make sure nothing is broken and it works there, too.
> > >
> > > Patch (on top of the others):
> > >
> > >
> >
>
http://git.adiscon.com/?p=rsyslog.git;a=commitdiff;h=b41bdeff56ad9d54dd
> > > d
> > > cb8703560c750f04a6370
> > >
> > > Rainer
> > >
> > > > -----Original Message-----
> > > > From: rsyslog-bounces at lists.adiscon.com [mailto:rsyslog-
> > > > bounces at lists.adiscon.com] On Behalf Of Rainer Gerhards
> > > > Sent: Wednesday, December 03, 2008 10:54 AM
> > > > To: rsyslog-users
> > > > Subject: Re: [rsyslog] security issue in rsyslog
> > > >
> > > > Ok, I ran this fix through a couple of tests yesterday. It looks
> > well
> > > > for TLS, too. Note that there is an implication that
> $AllowedSender
> > > > TCP,... applies to TLS to (because it is TCP). I'd consider this
> to
> > > be
> > > > a
> > > > side-effect, but I do not think it is worth fixing. With TLS,
> there
> > > is
> > > > much finer and better control. An issue may only exists if
> someone
> > > > decides to run non-tls tcp and tls tcp together AND use
> > > $AllowedSender.
> > > > Workaround in that case is to use the firewall, so I don't
> consider
> > > it
> > > > is worth fixing now.
> > > >
> > > > Please note that my testing revealed a potential memory leak as
> > > > side-effect of the fixes. This could be abused to a remote DoS,
> so
> > I
> > > > will investigate that before releasing.
> > > >
> > > > Rainer
> > > >
> > > > > -----Original Message-----
> > > > > From: rsyslog-bounces at lists.adiscon.com [mailto:rsyslog-
> > > > > bounces at lists.adiscon.com] On Behalf Of Rainer Gerhards
> > > > > Sent: Monday, December 01, 2008 6:47 PM
> > > > > To: rsyslog-users
> > > > > Subject: Re: [rsyslog] security issue in rsyslog
> > > > >
> > > > > And now there is an *untested* fix for the TLS driver:
> > > > >
> > > > >
> > > >
> > >
> >
>
http://git.adiscon.com/?p=rsyslog.git;a=commitdiff;h=61b59a78c6b558ec06
> > > > > 3
> > > > > 83fc5969178887d00abfc
> > > > >
> > > > > Testing takes a bit more of time, I need to set up the test
> > > > environment
> > > > > for TLS again (looks like it would really pay to have a fixed
> > test
> > > > > suite
> > > > > for all those cases - also the issue here would have never
> > > > > occurred...).
> > > > >
> > > > > Please note that I mistook GSSAPI with TLS in my previous
mail.
> > The
> > > > TLS
> > > > > part should not be really affected by the problem: there are
so
> > > much
> > > > > better access control features in TLS...
> > > > >
> > > > > Rainer
> > > > >
> > > > > > -----Original Message-----
> > > > > > From: rsyslog-bounces at lists.adiscon.com [mailto:rsyslog-
> > > > > > bounces at lists.adiscon.com] On Behalf Of Rainer Gerhards
> > > > > > Sent: Monday, December 01, 2008 5:52 PM
> > > > > > To: rsyslog-users
> > > > > > Subject: Re: [rsyslog] security issue in rsyslog
> > > > > >
> > > > > > Ok, looks like I found a work-around. Not that elegant, but
> > seems
> > > > to
> > > > > > work quite well. Patch for TCP is here:
> > > > > >
> > > > > >
> > > > >
> > > >
> > >
> >
>
http://git.adiscon.com/?p=rsyslog.git;a=commitdiff;h=97b89435aad77bd6d9
> > > > > > e
> > > > > > 18747b55d701e360d5aac
> > > > > >
> > > > > > Please note that this effectively disables GSS
functionality.
> > > I'll
> > > > > > updated the GSS drivers in the next step.
> > > > > >
> > > > > > Rainer
> > > > > >
> > > > > > > -----Original Message-----
> > > > > > > From: rsyslog-bounces at lists.adiscon.com [mailto:rsyslog-
> > > > > > > bounces at lists.adiscon.com] On Behalf Of Rainer Gerhards
> > > > > > > Sent: Monday, December 01, 2008 5:08 PM
> > > > > > > To: rsyslog-users
> > > > > > > Subject: Re: [rsyslog] security issue in rsyslog
> > > > > > >
> > > > > > > The issue also exists in TCP mode, but analysis shows this
> is
> > > not
> > > > a
> > > > > > > trial fix. The design overlooked the situation. In theory,
> a
> > > > whole
> > > > > > new
> > > > > > > access control feature would be needed. I am checking out
> if
> > it
> > > > is
> > > > > > > possible to "just" enhance the interface. With the current
> > > > > netstreams
> > > > > > > defined that should be possible. I am tempted to release
> the
> > > UDP-
> > > > > > fixed
> > > > > > > version and release the next version with the TCP fix.
> > Feedback
> > > > > from
> > > > > > > packagers is appreciated. The TCP fix may take a day or
> two,
> > > > > > depending
> > > > > > > on how smart a way I find.
> > > > > > >
> > > > > > > Rainer
> > > > > > >
> > > > > > > > -----Original Message-----
> > > > > > > > From: rsyslog-bounces at lists.adiscon.com [mailto:rsyslog-
> > > > > > > > bounces at lists.adiscon.com] On Behalf Of Rainer Gerhards
> > > > > > > > Sent: Monday, December 01, 2008 4:37 PM
> > > > > > > > To: rsyslog-users
> > > > > > > > Subject: Re: [rsyslog] security issue in rsyslog
> > > > > > > >
> > > > > > > > ... and the patch will not work on all of these version,
> > due
> > > to
> > > > > the
> > > > > > > > introduction of the netstream driver functionality.
> Please
> > > note
> > > > > > that
> > > > > > > > anything older than current v3-stable is outdated, so
the
> > > > proper
> > > > > > way
> > > > > > > to
> > > > > > > > replace the faulty code is to upgrade to the current v3-
> > > stable
> > > > > and
> > > > > > > > apply
> > > > > > > > the patch. I will also release a new v3-stable soon,
> > > hopefully
> > > > > > today
> > > > > > > > (but I'd like to conduct some more tests).
> > > > > > > >
> > > > > > > > Rainer
> > > > > > > >
> > > > > > > > > -----Original Message-----
> > > > > > > > > From: rsyslog-bounces at lists.adiscon.com
> [mailto:rsyslog-
> > > > > > > > > bounces at lists.adiscon.com] On Behalf Of Rainer
Gerhards
> > > > > > > > > Sent: Monday, December 01, 2008 4:31 PM
> > > > > > > > > To: rsyslog-users
> > > > > > > > > Subject: Re: [rsyslog] security issue in rsyslog
> > > > > > > > >
> > > > > > > > > I now clarified the affected versions. Affected are
> > 3.12.2
> > > > and
> > > > > > > above.
> > > > > > > > >
> > > > > > > > > Rainer
> > > > > > > > >
> > > > > > > > > > -----Original Message-----
> > > > > > > > > > From: rsyslog-bounces at lists.adiscon.com
> > [mailto:rsyslog-
> > > > > > > > > > bounces at lists.adiscon.com] On Behalf Of Rainer
> Gerhards
> > > > > > > > > > Sent: Monday, December 01, 2008 3:32 PM
> > > > > > > > > > To: rsyslog-users
> > > > > > > > > > Subject: Re: [rsyslog] security issue in rsyslog
> > > > > > > > > >
> > > > > > > > > > Hi all,
> > > > > > > > > >
> > > > > > > > > > this is patch for v3-stable:
> > > > > > > > > >
> > > > > > > > > >
> > > > > > > > >
> > > > > > > >
> > > > > > >
> > > > > >
> > > > >
> > > >
> > >
> >
>
http://git.adiscon.com/?p=rsyslog.git;a=commitdiff;h=f0ddbed44c332391ae
> > > > > > > > > > 6
> > > > > > > > > > d9bbf6b07e2f06c4dd676
> > > > > > > > > >
> > > > > > > > > > I have not tried yet, but I think it will work on
> > almost
> > > > all
> > > > > > > other
> > > > > > > > > > versions, too. I keep you posted on the progress.
> > > > > > > > > >
> > > > > > > > > > Rainer
> > > > > > > > > >
> > > > > > > > > > > -----Original Message-----
> > > > > > > > > > > From: rsyslog-bounces at lists.adiscon.com
> > > [mailto:rsyslog-
> > > > > > > > > > > bounces at lists.adiscon.com] On Behalf Of Rainer
> > Gerhards
> > > > > > > > > > > Sent: Monday, December 01, 2008 11:27 AM
> > > > > > > > > > > To: rsyslog-users
> > > > > > > > > > > Subject: Re: [rsyslog] security issue in rsyslog
> > > > > > > > > > >
> > > > > > > > > > > Version v2-stable is NOT vulnerable.
> > > > > > > > > > >
> > > > > > > > > > > Rainer
> > > > > > > > > > >
> > > > > > > > > > > > -----Original Message-----
> > > > > > > > > > > > From: rsyslog-bounces at lists.adiscon.com
> > > > [mailto:rsyslog-
> > > > > > > > > > > > bounces at lists.adiscon.com] On Behalf Of Rainer
> > > Gerhards
> > > > > > > > > > > > Sent: Monday, December 01, 2008 10:55 AM
> > > > > > > > > > > > To: rsyslog-users
> > > > > > > > > > > > Subject: [rsyslog] security issue in rsyslog
> > > > > > > > > > > >
> > > > > > > > > > > > Hi folks,
> > > > > > > > > > > >
> > > > > > > > > > > > thanks to a bug report, I found out that the
> > > > > $AllowedSender
> > > > > > > > > > directive
> > > > > > > > > > > > does not work in all releases. The bug in
> question
> > > is:
> > > > > > > > > > > >
> > > > > > > > > > > > http://bugzilla.adiscon.com/show_bug.cgi?id=111
> > > > > > > > > > > >
> > > > > > > > > > > > Im am currently working on the bug. Obviously,
> this
> > > can
> > > > > > lead
> > > > > > > to
> > > > > > > > > > > > messages
> > > > > > > > > > > > being received from systems that are not
> permitted
> > > so.
> > > > As
> > > > > a
> > > > > > > > work-
> > > > > > > > > > > > around,
> > > > > > > > > > > > proper firewalling should be set up on the
> > vulnerable
> > > > > > hosts.
> > > > > > > > > Until
> > > > > > > > > > > > further note, I would assume that all versions
of
> > > > rsyslog
> > > > > > are
> > > > > > > > > > > affected
> > > > > > > > > > > > (I will provide more detail during my analysis).
> > > > > > > > > > > >
> > > > > > > > > > > > Thanks,
> > > > > > > > > > > > Rainer
> > > > > > > > > > > > _______________________________________________
> > > > > > > > > > > > rsyslog mailing list
> > > > > > > > > > > >
http://lists.adiscon.net/mailman/listinfo/rsyslog
> > > > > > > > > > > > http://www.rsyslog.com
> > > > > > > > > > > _______________________________________________
> > > > > > > > > > > rsyslog mailing list
> > > > > > > > > > > http://lists.adiscon.net/mailman/listinfo/rsyslog
> > > > > > > > > > > http://www.rsyslog.com
> > > > > > > > > > _______________________________________________
> > > > > > > > > > rsyslog mailing list
> > > > > > > > > > http://lists.adiscon.net/mailman/listinfo/rsyslog
> > > > > > > > > > http://www.rsyslog.com
> > > > > > > > > _______________________________________________
> > > > > > > > > rsyslog mailing list
> > > > > > > > > http://lists.adiscon.net/mailman/listinfo/rsyslog
> > > > > > > > > http://www.rsyslog.com
> > > > > > > > _______________________________________________
> > > > > > > > rsyslog mailing list
> > > > > > > > http://lists.adiscon.net/mailman/listinfo/rsyslog
> > > > > > > > http://www.rsyslog.com
> > > > > > > _______________________________________________
> > > > > > > rsyslog mailing list
> > > > > > > http://lists.adiscon.net/mailman/listinfo/rsyslog
> > > > > > > http://www.rsyslog.com
> > > > > > _______________________________________________
> > > > > > rsyslog mailing list
> > > > > > http://lists.adiscon.net/mailman/listinfo/rsyslog
> > > > > > http://www.rsyslog.com
> > > > > _______________________________________________
> > > > > rsyslog mailing list
> > > > > http://lists.adiscon.net/mailman/listinfo/rsyslog
> > > > > http://www.rsyslog.com
> > > > _______________________________________________
> > > > rsyslog mailing list
> > > > http://lists.adiscon.net/mailman/listinfo/rsyslog
> > > > http://www.rsyslog.com
> > > _______________________________________________
> > > rsyslog mailing list
> > > http://lists.adiscon.net/mailman/listinfo/rsyslog
> > > http://www.rsyslog.com
> > _______________________________________________
> > rsyslog mailing list
> > http://lists.adiscon.net/mailman/listinfo/rsyslog
> > http://www.rsyslog.com
> _______________________________________________
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com

More information about the rsyslog mailing list