{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2018-1000140", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "dateUpdated": "2024-08-05T12:33:49.313Z", "dateReserved": "2018-03-23T00:00:00", "datePublished": "2018-03-23T00:00:00"}, "containers": {"cna": {"dateAssigned": "2018-03-20T00:00:00", "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2023-06-12T00:00:00"}, "descriptions": [{"lang": "en", "value": "rsyslog librelp version 1.2.14 and earlier contains a Buffer Overflow vulnerability in the checking of x509 certificates from a peer that can result in Remote code execution. This attack appear to be exploitable a remote attacker that can connect to rsyslog and trigger a stack buffer overflow by sending a specially crafted x509 certificate."}], "affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"version": "n/a", "status": "affected"}]}], "references": [{"name": "USN-3612-1", "tags": ["vendor-advisory"], "url": "https://usn.ubuntu.com/3612-1/"}, {"name": "GLSA-201804-21", "tags": ["vendor-advisory"], "url": "https://security.gentoo.org/glsa/201804-21"}, {"url": "https://github.com/rsyslog/librelp/blob/532aa362f0f7a8d037505b0a27a1df452f9bac9e/src/tcp.c#L1205"}, {"name": "RHSA-2018:1703", "tags": ["vendor-advisory"], "url": "https://access.redhat.com/errata/RHSA-2018:1703"}, {"name": "RHSA-2018:1704", "tags": ["vendor-advisory"], "url": "https://access.redhat.com/errata/RHSA-2018:1704"}, {"name": "RHSA-2018:1702", "tags": ["vendor-advisory"], "url": "https://access.redhat.com/errata/RHSA-2018:1702"}, {"name": "RHSA-2018:1225", "tags": ["vendor-advisory"], "url": "https://access.redhat.com/errata/RHSA-2018:1225"}, {"name": "RHSA-2018:1707", "tags": ["vendor-advisory"], "url": "https://access.redhat.com/errata/RHSA-2018:1707"}, {"url": "https://lgtm.com/rules/1505913226124/"}, {"name": "RHSA-2018:1223", "tags": ["vendor-advisory"], "url": "https://access.redhat.com/errata/RHSA-2018:1223"}, {"name": "DSA-4151", "tags": ["vendor-advisory"], "url": "https://www.debian.org/security/2018/dsa-4151"}, {"name": "RHSA-2018:1701", "tags": ["vendor-advisory"], "url": "https://access.redhat.com/errata/RHSA-2018:1701"}, {"url": "http://packetstormsecurity.com/files/172829/librelp-Remote-Code-Execution.html"}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "n/a"}]}], "datePublic": "2018-03-23T00:00:00"}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-05T12:33:49.313Z"}, "title": "CVE Program Container", "references": [{"name": "USN-3612-1", "tags": ["vendor-advisory", "x_transferred"], "url": "https://usn.ubuntu.com/3612-1/"}, {"name": "GLSA-201804-21", "tags": ["vendor-advisory", "x_transferred"], "url": "https://security.gentoo.org/glsa/201804-21"}, {"url": "https://github.com/rsyslog/librelp/blob/532aa362f0f7a8d037505b0a27a1df452f9bac9e/src/tcp.c#L1205", "tags": ["x_transferred"]}, {"name": "RHSA-2018:1703", "tags": ["vendor-advisory", "x_transferred"], "url": "https://access.redhat.com/errata/RHSA-2018:1703"}, {"name": "RHSA-2018:1704", "tags": ["vendor-advisory", "x_transferred"], "url": "https://access.redhat.com/errata/RHSA-2018:1704"}, {"name": "RHSA-2018:1702", "tags": ["vendor-advisory", "x_transferred"], "url": "https://access.redhat.com/errata/RHSA-2018:1702"}, {"name": "RHSA-2018:1225", "tags": ["vendor-advisory", "x_transferred"], "url": "https://access.redhat.com/errata/RHSA-2018:1225"}, {"name": "RHSA-2018:1707", "tags": ["vendor-advisory", "x_transferred"], "url": "https://access.redhat.com/errata/RHSA-2018:1707"}, {"url": "https://lgtm.com/rules/1505913226124/", "tags": ["x_transferred"]}, {"name": "RHSA-2018:1223", "tags": ["vendor-advisory", "x_transferred"], "url": "https://access.redhat.com/errata/RHSA-2018:1223"}, {"name": "DSA-4151", "tags": ["vendor-advisory", "x_transferred"], "url": "https://www.debian.org/security/2018/dsa-4151"}, {"name": "RHSA-2018:1701", "tags": ["vendor-advisory", "x_transferred"], "url": "https://access.redhat.com/errata/RHSA-2018:1701"}, {"url": "http://packetstormsecurity.com/files/172829/librelp-Remote-Code-Execution.html", "tags": ["x_transferred"]}]}]}}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:rsyslog:librelp:*:*:*:*:*:*:*:*", "matchCriteriaId": "55960842-7464-4000-92D0-DD6774302375", "versionEndIncluding": "1.2.14", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*", "matchCriteriaId": "C11E6FB0-C8C0-4527-9AA0-CB9B316F8F43", "vulnerable": true}, {"criteria": "cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*", "matchCriteriaId": "DEECE5FC-CACF-4496-A3E7-164736409252", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:lts:*:*:*", "matchCriteriaId": "B5A6F2F3-4894-4392-8296-3B8DD2679084", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:redhat:enterprise_linux_desktop:6.0:*:*:*:*:*:*:*", "matchCriteriaId": "EE249E1B-A1FD-4E08-AA71-A0E1F10FFE97", "vulnerable": true}, {"criteria": "cpe:2.3:o:redhat:enterprise_linux_desktop:7.0:*:*:*:*:*:*:*", "matchCriteriaId": "33C068A4-3780-4EAB-A937-6082DF847564", "vulnerable": true}, {"criteria": "cpe:2.3:o:redhat:enterprise_linux_server:6.0:*:*:*:*:*:*:*", "matchCriteriaId": "9BBCD86A-E6C7-4444-9D74-F861084090F0", "vulnerable": true}, {"criteria": "cpe:2.3:o:redhat:enterprise_linux_server:7.0:*:*:*:*:*:*:*", "matchCriteriaId": "51EF4996-72F4-4FA4-814F-F5991E7A8318", "vulnerable": true}, {"criteria": "cpe:2.3:o:redhat:enterprise_linux_server_aus:6.6:*:*:*:*:*:*:*", "matchCriteriaId": "16E6D998-B41D-4B49-9E00-8336D2E40A4A", "vulnerable": true}, {"criteria": "cpe:2.3:o:redhat:enterprise_linux_server_aus:7.2:*:*:*:*:*:*:*", "matchCriteriaId": "1C8D871B-AEA1-4407-AEE3-47EC782250FF", "vulnerable": true}, {"criteria": "cpe:2.3:o:redhat:enterprise_linux_server_aus:7.3:*:*:*:*:*:*:*", "matchCriteriaId": "98381E61-F082-4302-B51F-5648884F998B", "vulnerable": true}, {"criteria": "cpe:2.3:o:redhat:enterprise_linux_server_aus:7.4:*:*:*:*:*:*:*", "matchCriteriaId": "D99A687E-EAE6-417E-A88E-D0082BC194CD", "vulnerable": true}, {"criteria": "cpe:2.3:o:redhat:enterprise_linux_server_aus:7.6:*:*:*:*:*:*:*", "matchCriteriaId": "B353CE99-D57C-465B-AAB0-73EF581127D1", "vulnerable": true}, {"criteria": "cpe:2.3:o:redhat:enterprise_linux_server_eus:6.7:*:*:*:*:*:*:*", "matchCriteriaId": "6C81647C-9A53-481D-A54C-36770A093F90", "vulnerable": true}, {"criteria": "cpe:2.3:o:redhat:enterprise_linux_server_eus:7.3:*:*:*:*:*:*:*", "matchCriteriaId": "A8442C20-41F9-47FD-9A12-E724D3A31FD7", "vulnerable": true}, {"criteria": "cpe:2.3:o:redhat:enterprise_linux_server_eus:7.4:*:*:*:*:*:*:*", "matchCriteriaId": "9EC0D196-F7B8-4BDD-9050-779F7A7FBEE4", "vulnerable": true}, {"criteria": "cpe:2.3:o:redhat:enterprise_linux_server_eus:7.5:*:*:*:*:*:*:*", "matchCriteriaId": "A4E9DD8A-A68B-4A69-8B01-BFF92A2020A8", "vulnerable": true}, {"criteria": "cpe:2.3:o:redhat:enterprise_linux_server_eus:7.6:*:*:*:*:*:*:*", "matchCriteriaId": "BF77CDCF-B9C9-427D-B2BF-36650FB2148C", "vulnerable": true}, {"criteria": "cpe:2.3:o:redhat:enterprise_linux_server_tus:6.6:*:*:*:*:*:*:*", "matchCriteriaId": "13E02156-E748-4820-B76F-7074793837E1", "vulnerable": true}, {"criteria": "cpe:2.3:o:redhat:enterprise_linux_server_tus:7.2:*:*:*:*:*:*:*", "matchCriteriaId": "6755B6AD-0422-467B-8115-34A60B1D1A40", "vulnerable": true}, {"criteria": "cpe:2.3:o:redhat:enterprise_linux_server_tus:7.3:*:*:*:*:*:*:*", "matchCriteriaId": "24C0F4E1-C52C-41E0-9F14-F83ADD5CC7ED", "vulnerable": true}, {"criteria": "cpe:2.3:o:redhat:enterprise_linux_server_tus:7.4:*:*:*:*:*:*:*", "matchCriteriaId": "D5F7E11E-FB34-4467-8919-2B6BEAABF665", "vulnerable": true}, {"criteria": "cpe:2.3:o:redhat:enterprise_linux_server_tus:7.6:*:*:*:*:*:*:*", "matchCriteriaId": "B76AA310-FEC7-497F-AF04-C3EC1E76C4CC", "vulnerable": true}, {"criteria": "cpe:2.3:o:redhat:enterprise_linux_workstation:6.0:*:*:*:*:*:*:*", "matchCriteriaId": "E5ED5807-55B7-47C5-97A6-03233F4FBC3A", "vulnerable": true}, {"criteria": "cpe:2.3:o:redhat:enterprise_linux_workstation:7.0:*:*:*:*:*:*:*", "matchCriteriaId": "825ECE2D-E232-46E0-A047-074B34DB1E97", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "rsyslog librelp version 1.2.14 and earlier contains a Buffer Overflow vulnerability in the checking of x509 certificates from a peer that can result in Remote code execution. This attack appear to be exploitable a remote attacker that can connect to rsyslog and trigger a stack buffer overflow by sending a specially crafted x509 certificate."}, {"lang": "es", "value": "rsyslog librelp en versiones 1.2.14 y anteriores contiene una vulnerabilidad de desbordamiento de b\u00fafer en la verificaci\u00f3n de certificados x509 desde un peer que puede resultar en la ejecuci\u00f3n remota de c\u00f3digo. Parece que este ataque puede ser explotable debido a que un atacante remoto puede conectarse a rsyslog y desencadena un desbordamiento de b\u00fafer basado en pila mediante el env\u00edo de un certificado x509 especialmente manipulado."}], "id": "CVE-2018-1000140", "lastModified": "2024-11-21T03:39:46.300", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 7.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2018-03-23T21:29:00.647", "references": [{"source": "cve@mitre.org", "url": "http://packetstormsecurity.com/files/172829/librelp-Remote-Code-Execution.html"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://access.redhat.com/errata/RHSA-2018:1223"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://access.redhat.com/errata/RHSA-2018:1225"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://access.redhat.com/errata/RHSA-2018:1701"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://access.redhat.com/errata/RHSA-2018:1702"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://access.redhat.com/errata/RHSA-2018:1703"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://access.redhat.com/errata/RHSA-2018:1704"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://access.redhat.com/errata/RHSA-2018:1707"}, {"source": "cve@mitre.org", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/rsyslog/librelp/blob/532aa362f0f7a8d037505b0a27a1df452f9bac9e/src/tcp.c#L1205"}, {"source": "cve@mitre.org", "tags": ["Exploit", "Third Party Advisory"], "url": "https://lgtm.com/rules/1505913226124/"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://security.gentoo.org/glsa/201804-21"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://usn.ubuntu.com/3612-1/"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://www.debian.org/security/2018/dsa-4151"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://packetstormsecurity.com/files/172829/librelp-Remote-Code-Execution.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://access.redhat.com/errata/RHSA-2018:1223"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://access.redhat.com/errata/RHSA-2018:1225"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://access.redhat.com/errata/RHSA-2018:1701"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://access.redhat.com/errata/RHSA-2018:1702"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://access.redhat.com/errata/RHSA-2018:1703"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://access.redhat.com/errata/RHSA-2018:1704"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://access.redhat.com/errata/RHSA-2018:1707"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/rsyslog/librelp/blob/532aa362f0f7a8d037505b0a27a1df452f9bac9e/src/tcp.c#L1205"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Third Party Advisory"], "url": "https://lgtm.com/rules/1505913226124/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://security.gentoo.org/glsa/201804-21"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://usn.ubuntu.com/3612-1/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://www.debian.org/security/2018/dsa-4151"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-787"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"acknowledgement": "Red Hat would like to thank Rainer Gerhards (rsyslog) for reporting this issue. Upstream acknowledges Bas van Schaik (lgtm.com / Semmle) and Kevin Backhouse (lgtm.com / Semmle) as the original reporters.", "affected_release": [{"advisory": "RHSA-2018:1225", "cpe": "cpe:/o:redhat:enterprise_linux:6", "package": "librelp-0:1.2.7-3.el6_9.1", "product_name": "Red Hat Enterprise Linux 6", "release_date": "2018-04-24T00:00:00Z"}, {"advisory": "RHSA-2018:1701", "cpe": "cpe:/o:redhat:rhel_aus:6.6", "package": "librelp-0:1.2.7-3.el6_6.1", "product_name": "Red Hat Enterprise Linux 6.6 Advanced Update Support", "release_date": "2018-05-23T00:00:00Z"}, {"advisory": "RHSA-2018:1701", "cpe": "cpe:/o:redhat:rhel_tus:6.6", "package": "librelp-0:1.2.7-3.el6_6.1", "product_name": "Red Hat Enterprise Linux 6.6 Telco Extended Update Support", "release_date": "2018-05-23T00:00:00Z"}, {"advisory": "RHSA-2018:1702", "cpe": "cpe:/o:redhat:rhel_eus:6.7", "package": "librelp-0:1.2.7-3.el6_7.1", "product_name": "Red Hat Enterprise Linux 6.7 Extended Update Support", "release_date": "2018-05-23T00:00:00Z"}, {"advisory": "RHSA-2018:1223", "cpe": "cpe:/o:redhat:enterprise_linux:7", "package": "librelp-0:1.2.12-1.el7_5.1", "product_name": "Red Hat Enterprise Linux 7", "release_date": "2018-04-24T00:00:00Z"}, {"advisory": "RHSA-2018:1703", "cpe": "cpe:/o:redhat:rhel_aus:7.2", "package": "librelp-0:1.2.0-4.el7_2", "product_name": "Red Hat Enterprise Linux 7.2 Advanced Update Support", "release_date": "2018-05-23T00:00:00Z"}, {"advisory": "RHSA-2018:1703", "cpe": "cpe:/o:redhat:rhel_tus:7.2", "package": "librelp-0:1.2.0-4.el7_2", "product_name": "Red Hat Enterprise Linux 7.2 Telco Extended Update Support", "release_date": "2018-05-23T00:00:00Z"}, {"advisory": "RHSA-2018:1703", "cpe": "cpe:/o:redhat:rhel_e4s:7.2", "package": "librelp-0:1.2.0-4.el7_2", "product_name": "Red Hat Enterprise Linux 7.2 Update Services for SAP Solutions", "release_date": "2018-05-23T00:00:00Z"}, {"advisory": "RHSA-2018:1707", "cpe": "cpe:/o:redhat:rhel_eus:7.3", "package": "librelp-0:1.2.0-4.el7_3", "product_name": "Red Hat Enterprise Linux 7.3 Extended Update Support", "release_date": "2018-05-23T00:00:00Z"}, {"advisory": "RHSA-2018:1704", "cpe": "cpe:/o:redhat:rhel_eus:7.4", "package": "librelp-0:1.2.12-1.el7_4.1", "product_name": "Red Hat Enterprise Linux 7.4 Extended Update Support", "release_date": "2018-05-23T00:00:00Z"}], "bugzilla": {"description": "librelp: Stack-based buffer overflow in relpTcpChkPeerName function in src/tcp.c", "id": "1560084", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1560084"}, "csaw": false, "cvss3": {"cvss3_base_score": "8.1", "cvss3_scoring_vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "status": "verified"}, "cwe": "CWE-121", "details": ["rsyslog librelp version 1.2.14 and earlier contains a Buffer Overflow vulnerability in the checking of x509 certificates from a peer that can result in Remote code execution. This attack appear to be exploitable a remote attacker that can connect to rsyslog and trigger a stack buffer overflow by sending a specially crafted x509 certificate.", "A stack-based buffer overflow was found in the way librelp parses X.509 certificates. By connecting or accepting connections from a remote peer, an attacker may use a specially crafted X.509 certificate to exploit this flaw and potentially execute arbitrary code."], "mitigation": {"lang": "en:us", "value": "Users are strongly advised not to expose their logging RELP services to a public network."}, "name": "CVE-2018-1000140", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "librelp", "product_name": "Red Hat Enterprise Linux 8"}], "public_date": "2018-03-23T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2018-1000140\nhttps://nvd.nist.gov/vuln/detail/CVE-2018-1000140\nhttps://www.rsyslog.com/cve-2018-1000140/"], "threat_severity": "Critical"}