CVE-2014-3634Improper Restriction of Operations within the Bounds of a Memory Buffer in Rsyslog

CWE-119Improper Restriction of Operations within the Bounds of a Memory BufferCWE-129Improper Validation of Array IndexCWE-190Integer Overflow or Wraparound18 documents8 sources
Severity
7.5HIGHNVD
NVD5.0
EPSS
29.4%
top 3.39%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
GNU InetutilsRsyslogSysklogd Project Sysklogd
Timeline
PublishedNov 2
Latest updateMay 17

Description

rsyslog before 7.6.6 and 8.x before 8.4.1 and sysklogd 1.5 and earlier allows remote attackers to cause a denial of service (crash), possibly execute arbitrary code, or have other unspecified impact via a crafted priority (PRI) value that triggers an out-of-bounds array access.

CVSS vector

AV:N/AC:L/C:P/I:P/A:PExploitability: 10.0 | Impact: 6.4

Affected Packages5 packages

Debianrsyslog/rsyslog< 8.4.2-1+7
Ubuntursyslog/rsyslog< 7.4.4-1ubuntu2.3
NVDrsyslog/rsyslog7.6.5+20
Debiangnu/inetutils< 2:1.9.2.39.3a460-1+3

Patches

Patch: www.openwall.comPatch: www.rsyslog.comPatch: www.openwall.com

🔴Vulnerability Details

7
GHSA
GHSA-h4gg-9gq4-7c4h: rsyslog before 72022-05-17
GHSA
GHSA-cj25-wc2v-fhxm: Integer overflow in rsyslog before 72022-05-17
OSV
CVE-2014-3683: Integer overflow in rsyslog before 72014-11-02
CVEList
CVE-2014-3634: rsyslog before 72014-11-02
OSV
CVE-2014-3634: rsyslog before 72014-11-02

📋Vendor Advisories

5
Ubuntu
Rsyslog vulnerabilities2014-10-09
Red Hat
rsyslog: integer overflow in PRI parsing2014-10-02
Red Hat
rsyslog: remote syslog PRI vulnerability2014-09-30
Debian
CVE-2014-3634: inetutils - rsyslog before 7.6.6 and 8.x before 8.4.1 and sysklogd 1.5 and earlier allows re...2014
Debian
CVE-2014-3683: rsyslog - Integer overflow in rsyslog before 7.6.7 and 8.x before 8.4.2 and sysklogd 1.5 a...2014

💬Community

4
Bugzilla
CVE-2014-3683 rsyslog: integer overflow in PRI parsing2014-10-03
Bugzilla
CVE-2014-3634 sysklogd: rsyslog: remote syslog PRI vulnerability [fedora-all]2014-10-02
Bugzilla
CVE-2014-3634 rsyslog: remote syslog PRI vulnerability [fedora-all]2014-10-02
Bugzilla
CVE-2014-3634 rsyslog: remote syslog PRI vulnerability2014-09-16