Lucene search

K
securityvulnsSecurityvulnsSECURITYVULNS:DOC:29501
HistoryJul 08, 2013 - 12:00 a.m.

LSE Leading Security Experts GmbH - LSE-2013-07-03 - rsyslog ElasticSearch Plugin

2013-07-0800:00:00
vulners.com
20

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

=== LSE Leading Security Experts GmbH - Security Advisory 2013-07-03 ===

rsyslog ElasticSearch Plugin - Double Free Memory Corruption


Affected Version

rsyslog 7.4.0 stable <= 7.4.1 stable
rsyslog 7.3.2 devel <= 7.5.1 devel

Problem Overview

Technical Risk: high
Likelihood of Exploitation: low
Vendor: Adiscon GmbH, Nathan Scott, Rainer Gerhards
Credits: LSE Leading Security Experts GmbH employee Markus Vervier and
Marius Ionescu
Advisory URL: http://www.lsexperts.de/advisories/lse-2013-07-03.txt
Advisory Status: Public
CVE-Number: CVE-2013-4758

Problem Impact

While conducting a code review, a double free memory corruption
vulnerability was discovered in the ElasticSearch plugin of rsyslog.
This could allow a remote attacker to crash rsyslog and possibly
execute code if he can manipulate JSON responses from ElasticSearch.

Problem Description

A double free memory corruption exists in all implementations of the
rsyslog omelasticsearch plugin up to 7.4.1 stable and 7.5.1 devel
having the "errorfile" parameter explicitly set for local logging.
The variable "rendered" in function writeDataError of
omelasticsearch.c is freed twice. This allows heap corruption and
possible code execution if an attacker is able to control memory
between subsequent calls to free.

Temporary Workaround and Fix

It is advised to update to version 7.4.2 stable or 7.5.2 of rsyslog as
soon as possible.

As a workaround the "errorfile" configuration parameter should be
disabled, as is the default in rsyslog.

History

2013-06-27 Problem discovery during code review at customer
2013-07-03 Original vendor contacted
2013-07-03 Vulnerability confirmed by vendor
2013-07-03 Fix released
2013-07-04 CVE-2013-4758 assigned
2013-07-05 Coordinated advisory release


http://www.lsexperts.de
LSE Leading Security Experts GmbH, Postfach 100121, 64201 Darmstadt
Tel.: +49 (0) 6151 86086-0, Fax: -299,
Unternehmenssitz: Weiterstadt, Amtsgericht Darmstadt: HRB8649
Geschaftsfuhrer: Oliver Michel, Sven Walther, Dr. Peter Schill
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Icedove - http://www.enigmail.net/

iQIcBAEBAgAGBQJR1m7aAAoJEDgSCSGZ4yd8qAcQAJlG0E7t2jnqXvxS3QUCgyF9
lMuADOj7/wbNw/oetbBLukzh9OXOKB2q2QLney6XosZOMh7/dfSXuOdJsaEufutS
5BFGHUOglixACmqju3ZcWvWYsKYrtnKyy+/GJvXR3fZjP7Jf6UEHeBlffEwYhqEe
kjA/ha5EHeljehHbqc+zm+O8iSVte40dJD87/D76UwzI6cMG6eFbFRgDYxaFSGh6
0JMdBA0PqkkkF9fdrlJ00VYrPU41RUMPeiv23OyIiQgWvAbWV8RMkTetkVaqxCys
ms8/s8+FlA4xBKZPiHB64i7oznKHV1AeqXjCm9AahXxCg1NWQx/DkShTZd/zWg30
uI8+2NIb/YMyPrdth44+ucpjcF1v76G3c/WBSBniIXPwUvzHTxD0DHBYX6g0i2Jr
HvtD1kZaWUjk/ofD52CZ1pcUIsqyiO6hoS1vYA83EiC9KW/Yp2lrf/apoE5VgdJ8
jN4JTSU7NEIKY/S+GDFBUDqpnIJeG+VHVC2dmWa+fSfRqx5Wlk9YwE0K0KI/BU+D
MrmzwO4/Fx0EdxhKxOaMAJTVAas2paW07ewrXKTRCja2mAZLaK3eeuKfdwvqVa4J
SwBNnbyPPoY9H8fjx9J8rrYirfZnQ4UKiV7cgOfaXG+ZfFzaS/iZZ3i+USdMJtDS
fwuOw+xvnSrruDiP1Dho
=HJxe
-----END PGP SIGNATURE-----

Related for SECURITYVULNS:DOC:29501