CVE & CISA-KEV Catalog

CVE-2022-24903

HIGHEPSS 89th pctl
8.1
CVSS v3
NVD

Description

Rsyslog is a rocket-fast system for log processing. Modules for TCP syslog reception have a potential heap buffer overflow when octet-counted framing is used. This can result in a segfault or some other malfunction. As of our understanding, this vulnerability can not be used for remote code execution. But there may still be a slight chance for experts to do that. The bug occurs when the octet count is read. While there is a check for the maximum number of octets, digits are written to a heap buffer even when the octet count is over the maximum, This can be used to overrun the memory buffer. However, once the sequence of digits stop, no additional characters can be added to the buffer. In our opinion, this makes remote exploits impossible or at least highly complex. Octet-counted framing is one of two potential framing modes. It is relatively uncommon, but enabled by default on receivers. Modules `imtcp`, `imptcp`, `imgssapi`, and `imhttp` are used for regular syslog message reception. It is best practice not to directly expose them to the public. When this practice is followed, the risk is considerably lower. Module `imdiag` is a diagnostics module primarily intended for testbench runs. We do not expect it to be present on any production installation. Octet-counted framing is not very common. Usually, it needs to be specifically enabled at senders. If users do not need it, they can turn it off for the most important modules. This will mitigate the vulnerability.

How to fix

Remediation Available
rsyslogDebian
Fixed in:8.2102.0-2+deb11u1CVE-2022-24903
Fixed in:8.2204.1-1CVE-2022-24903
Fixed in:8.2204.1-1CVE-2022-24903
Fixed in:8.2204.1-1CVE-2022-24903
rsyslogUbuntu
Fixed in:8.16.0-1ubuntu3.1+esm2USN-5404-2
Fixed in:8.32.0-1ubuntu4.2USN-5404-1
Fixed in:8.2001.0-1ubuntu1.3USN-5404-1
Fixed in:8.2112.0-2ubuntu2.2USN-5404-1

Remediation is compiled from vendor and distribution security advisories. Always confirm against the linked source for your exact version and platform.

CVSS v3 Vector

Exploitability

Attack VectorNetwork
Attack ComplexityHigh
Privileges RequiredNone
User InteractionNone
ScopeUnchanged

Impact

ConfidentialityHigh
IntegrityHigh
AvailabilityHigh

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Exploit Intelligence

3.82%probability of exploitation in 30 days
89thpercentile

Elevated risk: more likely to be exploited than 89% of all known CVEs.

References

Embed a live status badge for CVE-2022-24903
CVE-2022-24903 severity badge

Markdown

[![CVE-2022-24903](https://tridentstack.com/cve/badge/CVE-2022-24903.svg)](https://tridentstack.com/cve/CVE-2022-24903)

HTML

<a href="https://tridentstack.com/cve/CVE-2022-24903"><img src="https://tridentstack.com/cve/badge/CVE-2022-24903.svg" alt="CVE-2022-24903"></a>

Find and fix vulnerabilities across your fleet

TridentStack Control continuously scans your Windows, macOS, and Linux fleet for known vulnerabilities, prioritizes them by severity and active exploitation, and patches them automatically.

Start free

This product uses NVD data but is not endorsed or certified by the NVD. EPSS scores courtesy of FIRST.org (https://www.first.org/epss). Source: CISA KEV Catalog. Data as of 2024-11-21.