CVE-2018-1000140

Impact:
Critical
Public Date:
2018-03-23
CWE:
CWE-121
Bugzilla:
1560084: CVE-2018-1000140 librelp: Stack-based buffer overflow in relpTcpChkPeerName function in src/tcp.c
A stack-based buffer overflow was found in the way librelp parses X.509 certificates. By connecting or accepting connections from a remote peer, an attacker may use a specially crafted X.509 certificate to exploit this flaw and potentially execute arbitrary code.

Find out more about CVE-2018-1000140 from the MITRE CVE dictionary dictionary and NIST NVD.

CVSS v3 metrics

CVSS3 Base Score 8.1
CVSS3 Base Metrics CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector Network
Attack Complexity High
Privileges Required None
User Interaction None
Scope Unchanged
Confidentiality High
Integrity Impact High
Availability Impact High

Red Hat Security Errata

Platform Errata Release Date
Red Hat Enterprise Linux Extended Update Support 7.4 (librelp) RHSA-2018:1704 2018-05-23
Red Hat Enterprise Linux Server TUS (v. 7.2) (librelp) RHSA-2018:1703 2018-05-23
Red Hat Enterprise Linux Advanced Update Support 6.6 (librelp) RHSA-2018:1701 2018-05-23
Red Hat Enterprise Linux Server Update Services for SAP Solutions 7.2 (librelp) RHSA-2018:1703 2018-05-23
Red Hat Enterprise Linux Advanced Update Support 7.2 (librelp) RHSA-2018:1703 2018-05-23
Red Hat Enterprise Linux Extended Update Support 7.3 (librelp) RHSA-2018:1707 2018-05-23
Red Hat Enterprise Linux 7 (librelp) RHSA-2018:1223 2018-04-24
Red Hat Enterprise Linux Extended Update Support 6.7 (librelp) RHSA-2018:1702 2018-05-23
Red Hat Enterprise Linux Server TUS (v. 6.6) (librelp) RHSA-2018:1701 2018-05-23
Red Hat Enterprise Linux 6 (librelp) RHSA-2018:1225 2018-04-24

Affected Packages State

Platform Package State
Red Hat Enterprise Linux 8 librelp Not affected

Acknowledgements

Red Hat would like to thank Rainer Gerhards (rsyslog) for reporting this issue. Upstream acknowledges Bas van Schaik (lgtm.com / Semmle) and Kevin Backhouse (lgtm.com / Semmle) as the original reporters.

Mitigation

Users are strongly advised not to expose their logging RELP services to a public network.

External References

Last Modified