106632

RHBA-2019:0327

RHSA-2019:0201

https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3815

[debian-lts-announce] 20190313 [SECURITY] [DLA 1711-1] systemd security update

The version of systemd installed on the remote host is prior to 219-78. It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2-2021-1647 advisory.

  - A vulnerability in unit_deserialize of systemd allows an attacker to supply arbitrary state across systemd     re-execution via NotifyAccess. This can be used to improperly influence systemd execution and possibly     lead to root privilege escalation. Affected releases are systemd versions up to and including 239.
    (CVE-2018-15686)

  - An allocation of memory without limits, that could result in the stack clashing with another memory     region, was discovered in systemd-journald when a program with long command line arguments calls syslog. A     local attacker may use this flaw to crash systemd-journald or escalate his privileges. Versions through     v240 are vulnerable. (CVE-2018-16864)

  - An out of bounds read was discovered in systemd-journald in the way it parses log messages that terminate     with a colon ':'. A local attacker can use this flaw to disclose process memory data. Versions from v221     to v239 are vulnerable. (CVE-2018-16866)

  - An issue was discovered in button_open in login/logind-button.c in systemd before 243. When executing the     udevadm trigger command, a memory leak may occur. (CVE-2019-20386)

  - A memory leak was discovered in the backport of fixes for CVE-2018-16864 in Red Hat Enterprise Linux.
    Function dispatch_message_real() in journald-server.c does not free the memory allocated by     set_iovec_field_free() to store the `_CMDLINE=` entry. A local attacker may use this flaw to make systemd-     journald crash. This issue only affects versions shipped with Red Hat Enterprise since v219-62.2.
    (CVE-2019-3815)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The version of systemd installed on the remote host is prior to 219-78. It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2-2021-1643 advisory.

  - A vulnerability in unit_deserialize of systemd allows an attacker to supply arbitrary state across systemd     re-execution via NotifyAccess. This can be used to improperly influence systemd execution and possibly     lead to root privilege escalation. Affected releases are systemd versions up to and including 239.
    (CVE-2018-15686)

  - An allocation of memory without limits, that could result in the stack clashing with another memory     region, was discovered in systemd-journald when a program with long command line arguments calls syslog. A     local attacker may use this flaw to crash systemd-journald or escalate his privileges. Versions through     v240 are vulnerable. (CVE-2018-16864)

  - An out of bounds read was discovered in systemd-journald in the way it parses log messages that terminate     with a colon ':'. A local attacker can use this flaw to disclose process memory data. Versions from v221     to v239 are vulnerable. (CVE-2018-16866)

  - It was discovered systemd does not correctly check the content of PIDFile files before using it to kill     processes. When a service is run from an unprivileged user (e.g. User field set in the service file), a     local attacker who is able to write to the PIDFile of the mentioned service may use this flaw to trick     systemd into killing other services and/or privileged processes. Versions before v237 are vulnerable.
    (CVE-2018-16888)

  - An issue was discovered in button_open in login/logind-button.c in systemd before 243. When executing the     udevadm trigger command, a memory leak may occur. (CVE-2019-20386)

  - A memory leak was discovered in the backport of fixes for CVE-2018-16864 in Red Hat Enterprise Linux.
    Function dispatch_message_real() in journald-server.c does not free the memory allocated by     set_iovec_field_free() to store the `_CMDLINE=` entry. A local attacker may use this flaw to make systemd-     journald crash. This issue only affects versions shipped with Red Hat Enterprise since v219-62.2.
    (CVE-2019-3815)

  - An issue was discovered in sd-bus in systemd 239. bus_process_object() in libsystemd/sd-bus/bus-objects.c     allocates a variable-length stack buffer for temporarily storing the object path of incoming D-Bus     messages. An unprivileged local user can exploit this by sending a specially crafted message to PID1,     causing the stack pointer to jump over the stack guard pages into an unmapped memory region and trigger a     denial of service (systemd PID1 crash and kernel panic). (CVE-2019-6454)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

A memory leak was discovered in the backport of fixes for CVE-2018-16864 in Red Hat Enterprise Linux. Function dispatch_message_real() in journald-server.c does not free the memory allocated by set_iovec_field_free() to store the `_CMDLINE=` entry. A local attacker may use this flaw to make systemd-journald crash. This issue only affects versions shipped with Red Hat Enterprise since v219-62.2.(CVE-2019-3815)

Impact

A local attacker may be able to cause excessive resource consumption on the BIG-IP system, potentially leading to a failover event.

The remote NewStart CGSL host, running version CORE 5.04 / MAIN 5.04, has systemd packages installed that are affected by multiple vulnerabilities:

  - A memory leak was discovered in the backport of fixes     for CVE-2018-16864 in Red Hat Enterprise Linux. Function     dispatch_message_real() in journald-server.c does not     free the memory allocated by set_iovec_field_free() to     store the `_CMDLINE=` entry. A local attacker may use     this flaw to make systemd-journald crash.
    (CVE-2019-3815)

  - It was discovered that systemd allocates a buffer large     enough to store the path field of a dbus message without     performing enough checks. A local attacker may trigger     this flaw by sending a dbus message to systemd with a     large path making systemd crash or possibly elevating     his privileges. (CVE-2019-6454)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

According to the version of the systemd packages installed, the EulerOS installation on the remote host is affected by the following vulnerability :

  - systemd: memory leak in journald-server.c introduced by     fix for CVE-2018-16864.(CVE-2019-3815)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

According to the versions of the systemd packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities :

  - systemd: memory leak in journald-server.c introduced by     fix for CVE-2018-16864 (CVE-2019-3815)

  - systemd: Insufficient input validation in     bus_process_object() resulting in PID 1 crash     (CVE-2019-6454)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

A memory leak was discovered in the backport of fixes for CVE-2018-16864 in systemd-journald.

Function dispatch_message_real() in journald-server.c does not free allocated memory to store the `_CMDLINE=` entry. A local attacker may use this flaw to make systemd-journald crash.

Note that as the systemd-journald service is not restarted automatically a restart of the service or more safely a reboot is advised.

For Debian 8 'Jessie', this problem has been fixed in version 215-17+deb8u11.

We recommend that you upgrade your systemd packages.

NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

According to the versions of the systemd packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities :

  - systemd: Out-of-bounds heap write in systemd-networkd     dhcpv6 option handling (CVE-2018-15688)

  - systemd: stack overflow when calling syslog from a     command with long cmdline (CVE-2018-16864)

  - systemd: stack overflow when receiving many journald     entries (CVE-2018-16865)

  - systemd: Assertion failure when PID 1 receives a     zero-length message over notify socket(CVE-2016-7795)

  - systemd: Unsafe handling of hard links allowing     privilege escalation(CVE-2017-18078)

  - systemd: Out-of-bounds write in systemd-resolved due to     allocating too small buffer in     dns_packet_new(CVE-2017-9445)

  - systemd: memory leak in journald-server.c introduced by     fix for CVE-2018-16864 (CVE-2019-3815)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

An update for systemd is now available for Red Hat Enterprise Linux 7.

Red Hat Product Security has rated this update as having a security impact of Low. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link (s) in the References section.

The systemd packages contain systemd, a system and service manager for Linux, compatible with the SysV and LSB init scripts. It provides aggressive parallelism capabilities, uses socket and D-Bus activation for starting services, offers on-demand starting of daemons, and keeps track of processes using Linux cgroups. In addition, it supports snapshotting and restoring of the system state, maintains mount and automount points, and implements an elaborate transactional dependency-based service control logic. It can also work as a drop-in replacement for sysvinit.

Security Fix(es) :

* systemd: memory leak in journald-server.c introduced by fix for CVE-2018-16864 (CVE-2019-3815)

For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.

From Red Hat Security Advisory 2019:0201 :

An update for systemd is now available for Red Hat Enterprise Linux 7.

Red Hat Product Security has rated this update as having a security impact of Low. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link (s) in the References section.

The systemd packages contain systemd, a system and service manager for Linux, compatible with the SysV and LSB init scripts. It provides aggressive parallelism capabilities, uses socket and D-Bus activation for starting services, offers on-demand starting of daemons, and keeps track of processes using Linux cgroups. In addition, it supports snapshotting and restoring of the system state, maintains mount and automount points, and implements an elaborate transactional dependency-based service control logic. It can also work as a drop-in replacement for sysvinit.

Security Fix(es) :

* systemd: memory leak in journald-server.c introduced by fix for CVE-2018-16864 (CVE-2019-3815)

For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.

Security Fix(es) :

  - systemd: memory leak in journald-server.c introduced by     fix for CVE-2018-16864 (CVE-2019-3815)

ID	Name	Product	Family	Severity
150993	Amazon Linux 2 : systemd (ALAS-2021-1647)	Nessus	Amazon Linux Local Security Checks	high
149869	Amazon Linux 2 : systemd (ALAS-2021-1643) (deprecated)	Nessus	Amazon Linux Local Security Checks	critical
136209	F5 Networks BIG-IP : systemd-journald vulnerability (K22040951)	Nessus	F5 Networks Local Security Checks	high
127248	NewStart CGSL CORE 5.04 / MAIN 5.04 : systemd Multiple Vulnerabilities (NS-SA-2019-0057)	Nessus	NewStart CGSL Local Security Checks	medium
124631	EulerOS 2.0 SP3 : systemd (EulerOS-SA-2019-1345)	Nessus	Huawei Local Security Checks	low
123602	EulerOS 2.0 SP2 : systemd (EulerOS-SA-2019-1128)	Nessus	Huawei Local Security Checks	medium
122826	Debian DLA-1711-1 : systemd security update	Nessus	Debian Local Security Checks	low
122218	EulerOS 2.0 SP5 : systemd (EulerOS-SA-2019-1045)	Nessus	Huawei Local Security Checks	critical
121549	CentOS 7 : systemd (CESA-2019:0201)	Nessus	CentOS Local Security Checks	low
121498	Oracle Linux 7 : systemd (ELSA-2019-0201)	Nessus	Oracle Linux Local Security Checks	low
121457	Scientific Linux Security Update : systemd on SL7.x x86_64 (20190129)	Nessus	Scientific Linux Local Security Checks	high
121452	RHEL 7 : systemd (RHSA-2019:0201)	Nessus	Red Hat Local Security Checks	low

CVE-2019-3815

low

New! CVE Severity Now Using CVSS v3

Description

References

Details

Risk Information

CVSS v2

CVSS v3

Vulnerable Software

Configuration 1

Configuration 2

Tenable Plugins

high

critical

high

medium

low

medium

low

critical

low

low

high

low