CVE-2017-10906
The MITRE CVE dictionary describes this issue as:
Find out more about CVE-2017-10906 from the MITRE CVE dictionary dictionary and NIST NVD.
Statement
This flaw requires particular preconditions to be exploitable, which are not common in supported deployments of fluentd. The vulnerable system must have all of:
-
A filter_parser enabled in fluentd.conf
-
Fluentd running in non-daemon mode or a bad syslog server that doesn't sanitise escape sequences (rsyslog does)
-
A vulnerable terminal that happens to be running fluentd or manipulating the fluentd log file (for example tailing it)
This issue affects the versions of fluentd as shipped with Red Hat OpenShift Enterprise 3. Red Hat Product Security has rated this issue as having security impact of Moderate. A future update may address this issue. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.
CVSS v3 metrics
| CVSS3 Base Score | 5.3 |
|---|---|
| CVSS3 Base Metrics | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N |
| Attack Vector | Network |
| Attack Complexity | Low |
| Privileges Required | None |
| User Interaction | None |
| Scope | Unchanged |
| Confidentiality | None |
| Integrity Impact | Low |
| Availability Impact | None |
Red Hat Security Errata
| Platform | Errata | Release Date |
|---|---|---|
| Red Hat OpenStack Platform 13.0 Operational Tools for RHEL 7 (fluentd) | RHSA-2018:2225 | 2018-07-19 |
Affected Packages State
| Platform | Package | State |
|---|---|---|
| Red Hat Virtualization 4 | fluentd | Will not fix |
| Red Hat OpenStack Platform 12.0 Operational Tools for RHEL 7 | fluentd | Will not fix |
| Red Hat OpenStack Platform 11.0 Operational Tools for RHEL 7 | fluentd | Will not fix |
| Red Hat OpenStack Platform 10.0 Operational Tools for RHEL 7 | fluentd | Will not fix |
| Red Hat OpenShift Enterprise 3 | fluentd | Affected |
CVE description copyright © 2017, The MITRE Corporation