Today, we release rsyslog 8.2204.1.
This is a security bugfixing release.
There is heap buffer overflow vulnerability in rsyslog tcp reception
components, most notably imtcp and imptcp. This can only happen in
octet-counted mode, which is enabled by default.
If the receiver ports are exposed to the public Internet AND are used
without authentication, this can lead to remote DoS and potentially to
remote code execution. It is unclear if remote code execution is
actually possible. If so, it needs a very sophisticated attack.
When syslog best practices with proper firewalling and authentication
is used, thean attack can only be carried out from within the Intranet
and authorized systems. This limits the severity of the vulnerability
considerably (it would obviously require an attacker already to be
present inside the internal network).
Advisory: https://github.com/rsyslog/rsyslog/security/advisories/GHSA-ggw7-xr6h-mmr8#advisory-comment-72243
A patch is available, updated packages are already available or will
be within the next few hours. The daily stable will contain the patch
later today.
Credits to Peter Agten for initially reporting the issue and working
with us on the resolution.
ChangeLog:
As always, feedback is appreciated.