rsyslog ElasticSearch plugin suffers from a double free memory corruption. rsyslog versions 7.4.0 stable through 7.4.1 stable and 7.3.2 devel through 7.5.1 devel are affected.
c9b79425a99d604dd1c1d69b803474783b1a91144c92fa3d3e6e0ef941f7e904
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
=== LSE Leading Security Experts GmbH - Security Advisory 2013-07-03 ===
rsyslog ElasticSearch Plugin - Double Free Memory Corruption
- ------------------------------------------------------------
Affected Version
================
rsyslog 7.4.0 stable <= 7.4.1 stable
rsyslog 7.3.2 devel <= 7.5.1 devel
Problem Overview
================
Technical Risk: high
Likelihood of Exploitation: low
Vendor: Adiscon GmbH, Nathan Scott, Rainer Gerhards
Credits: LSE Leading Security Experts GmbH employee Markus Vervier and
Marius Ionescu
Advisory URL: http://www.lsexperts.de/advisories/lse-2013-07-03.txt
Advisory Status: Public
CVE-Number: CVE-2013-4758
Problem Impact
==============
While conducting a code review, a double free memory corruption
vulnerability was discovered in the ElasticSearch plugin of rsyslog.
This could allow a remote attacker to crash rsyslog and possibly
execute code if he can manipulate JSON responses from ElasticSearch.
Problem Description
===================
A double free memory corruption exists in all implementations of the
rsyslog omelasticsearch plugin up to 7.4.1 stable and 7.5.1 devel
having the "errorfile" parameter explicitly set for local logging.
The variable "rendered" in function writeDataError of
omelasticsearch.c is freed twice. This allows heap corruption and
possible code execution if an attacker is able to control memory
between subsequent calls to free.
Temporary Workaround and Fix
============================
It is advised to update to version 7.4.2 stable or 7.5.2 of rsyslog as
soon as possible.
As a workaround the "errorfile" configuration parameter should be
disabled, as is the default in rsyslog.
History
=======
2013-06-27 Problem discovery during code review at customer
2013-07-03 Original vendor contacted
2013-07-03 Vulnerability confirmed by vendor
2013-07-03 Fix released
2013-07-04 CVE-2013-4758 assigned
2013-07-05 Coordinated advisory release
- --
http://www.lsexperts.de
LSE Leading Security Experts GmbH, Postfach 100121, 64201 Darmstadt
Tel.: +49 (0) 6151 86086-0, Fax: -299,
Unternehmenssitz: Weiterstadt, Amtsgericht Darmstadt: HRB8649
Geschäftsführer: Oliver Michel, Sven Walther, Dr. Peter Schill
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Icedove - http://www.enigmail.net/
iQIcBAEBAgAGBQJR1m7aAAoJEDgSCSGZ4yd8qAcQAJlG0E7t2jnqXvxS3QUCgyF9
lMuADOj7/wbNw/oetbBLukzh9OXOKB2q2QLney6XosZOMh7/dfSXuOdJsaEufutS
5BFGHUOglixACmqju3ZcWvWYsKYrtnKyy+/GJvXR3fZjP7Jf6UEHeBlffEwYhqEe
kjA/ha5EHeljehHbqc+zm+O8iSVte40dJD87/D76UwzI6cMG6eFbFRgDYxaFSGh6
0JMdBA0PqkkkF9fdrlJ00VYrPU41RUMPeiv23OyIiQgWvAbWV8RMkTetkVaqxCys
ms8/s8+FlA4xBKZPiHB64i7oznKHV1AeqXjCm9AahXxCg1NWQx/DkShTZd/zWg30
uI8+2NIb/YMyPrdth44+ucpjcF1v76G3c/WBSBniIXPwUvzHTxD0DHBYX6g0i2Jr
HvtD1kZaWUjk/ofD52CZ1pcUIsqyiO6hoS1vYA83EiC9KW/Yp2lrf/apoE5VgdJ8
jN4JTSU7NEIKY/S+GDFBUDqpnIJeG+VHVC2dmWa+fSfRqx5Wlk9YwE0K0KI/BU+D
MrmzwO4/Fx0EdxhKxOaMAJTVAas2paW07ewrXKTRCja2mAZLaK3eeuKfdwvqVa4J
SwBNnbyPPoY9H8fjx9J8rrYirfZnQ4UKiV7cgOfaXG+ZfFzaS/iZZ3i+USdMJtDS
fwuOw+xvnSrruDiP1Dho
=HJxe
-----END PGP SIGNATURE-----