The remote NewStart CGSL host, running version MAIN 6.02, has rsyslog packages installed that are affected by a vulnerability:

  - Rsyslog is a rocket-fast system for log processing. Modules for TCP syslog reception have a potential heap     buffer overflow when octet-counted framing is used. This can result in a segfault or some other     malfunction. As of our understanding, this vulnerability can not be used for remote code execution. But     there may still be a slight chance for experts to do that. The bug occurs when the octet count is read.
    While there is a check for the maximum number of octets, digits are written to a heap buffer even when the     octet count is over the maximum, This can be used to overrun the memory buffer. However, once the sequence     of digits stop, no additional characters can be added to the buffer. In our opinion, this makes remote     exploits impossible or at least highly complex. Octet-counted framing is one of two potential framing     modes. It is relatively uncommon, but enabled by default on receivers. Modules `imtcp`, `imptcp`,     `imgssapi`, and `imhttp` are used for regular syslog message reception. It is best practice not to     directly expose them to the public. When this practice is followed, the risk is considerably lower. Module     `imdiag` is a diagnostics module primarily intended for testbench runs. We do not expect it to be present     on any production installation. Octet-counted framing is not very common. Usually, it needs to be     specifically enabled at senders. If users do not need it, they can turn it off for the most important     modules. This will mitigate the vulnerability. (CVE-2022-24903)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Ubuntu 18.04 LTS / 20.04 LTS / 22.04 LTS host has packages installed that are affected by a vulnerability as referenced in the USN-5404-1 advisory.

    Pieter Agten discovered that Rsyslog incorrectly handled certain requests. An attacker could possibly use     this issue to cause a crash.

Tenable has extracted the preceding description block directly from the Ubuntu security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 8 host has packages installed that are affected by a vulnerability as referenced in the RHSA-2022:4802 advisory.

    The rsyslog packages provide an enhanced, multi-threaded syslog daemon. It supports MySQL, syslog/TCP, RFC     3195, permitted sender lists, filtering on any message part, and fine-grained control over output format.

    Security Fix(es):

    * rsyslog: Heap-based overflow in TCP syslog server (CVE-2022-24903)

    For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and     other related information, refer to the CVE page(s) listed in the References section.

Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 8 host has packages installed that are affected by a vulnerability as referenced in the RHSA-2022:4800 advisory.

    The rsyslog packages provide an enhanced, multi-threaded syslog daemon. It supports MySQL, syslog/TCP, RFC     3195, permitted sender lists, filtering on any message part, and fine-grained control over output format.

    Security Fix(es):

    * rsyslog: Heap-based overflow in TCP syslog server (CVE-2022-24903)

    For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and     other related information, refer to the CVE page(s) listed in the References section.

Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Oracle Linux 8 host has packages installed that are affected by a vulnerability as referenced in the ELSA-2022-4799 advisory.

    [8.2102.0-7.1]
    - Address CVE-2022-24903, Heap-based overflow in TCP syslog server       resolves: rhbz#2081400

Tenable has extracted the preceding description block directly from the Oracle Linux security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 6 host has packages installed that are affected by a vulnerability as referenced in the RHSA-2022:4808 advisory.

    The rsyslog packages provide an enhanced, multi-threaded syslog daemon. It supports MySQL, syslog/TCP, RFC     3195, permitted sender lists, filtering on any message part, and fine-grained control over output format.

    The rsyslog7 packages provide an enhanced, multi-threaded syslog daemon. It supports on-demand disk     buffering, reliable syslog over TCP, SSL, TLS and RELP, writing to databases (MySQL, PostgreSQL, Oracle,     and others), email alerting, fully configurable output formats (including high-precision time stamps), the     ability to filter on any part of the syslog message, on-the-wire message compression, and the ability to     convert text files to syslog.

    Security Fix(es):

    * rsyslog: Heap-based overflow in TCP syslog server (CVE-2022-24903)

    For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and     other related information, refer to the CVE page(s) listed in the References section.

Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Scientific Linux 7 host has packages installed that are affected by a vulnerability as referenced in the SLSA-2022:4803-1 advisory.

  - rsyslog: Heap-based overflow in TCP syslog server (CVE-2022-24903)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote CentOS Linux 7 host has packages installed that are affected by a vulnerability as referenced in the RHSA-2022:4803 advisory.

  - Rsyslog is a rocket-fast system for log processing. Modules for TCP syslog reception have a potential heap     buffer overflow when octet-counted framing is used. This can result in a segfault or some other     malfunction. As of our understanding, this vulnerability can not be used for remote code execution. But     there may still be a slight chance for experts to do that. The bug occurs when the octet count is read.
    While there is a check for the maximum number of octets, digits are written to a heap buffer even when the     octet count is over the maximum, This can be used to overrun the memory buffer. However, once the sequence     of digits stop, no additional characters can be added to the buffer. In our opinion, this makes remote     exploits impossible or at least highly complex. Octet-counted framing is one of two potential framing     modes. It is relatively uncommon, but enabled by default on receivers. Modules `imtcp`, `imptcp`,     `imgssapi`, and `imhttp` are used for regular syslog message reception. It is best practice not to     directly expose them to the public. When this practice is followed, the risk is considerably lower. Module     `imdiag` is a diagnostics module primarily intended for testbench runs. We do not expect it to be present     on any production installation. Octet-counted framing is not very common. Usually, it needs to be     specifically enabled at senders. If users do not need it, they can turn it off for the most important     modules. This will mitigate the vulnerability. (CVE-2022-24903)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The version of rsyslog installed on the remote host is prior to 5.8.10-9.29. It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS-2022-1594 advisory.

    A flaw was found in the way rsyslog handled invalid log message priority values. In certain     configurations, a local attacker, or a remote attacker able to connect to the rsyslog port, could use this     flaw to crash the rsyslog daemon or, potentially in rsyslog 7.x, execute arbitrary code as the user     running the rsyslog daemon. (CVE-2014-3634)

    A flaw was found in rsyslog's reception TCP modules. This flaw allows an attacker to craft a malicious     message leading to a heap-based buffer overflow. This issue allows the attacker to corrupt or access data     stored in memory, leading to a denial of service in the rsyslog or possible remote code execution.
    (CVE-2022-24903)

Tenable has extracted the preceding description block directly from the tested product security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The version of rsyslog installed on the remote host is prior to 8.2204.0-1. It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2022-2022-211 advisory.

  - rsyslog before 7.6.6 and 8.x before 8.4.1 and sysklogd 1.5 and earlier allows remote attackers to cause a     denial of service (crash), possibly execute arbitrary code, or have other unspecified impact via a crafted     priority (PRI) value that triggers an out-of-bounds array access. (CVE-2014-3634)

  - Rsyslog is a rocket-fast system for log processing. Modules for TCP syslog reception have a potential heap     buffer overflow when octet-counted framing is used. This can result in a segfault or some other     malfunction. As of our understanding, this vulnerability can not be used for remote code execution. But     there may still be a slight chance for experts to do that. The bug occurs when the octet count is read.
    While there is a check for the maximum number of octets, digits are written to a heap buffer even when the     octet count is over the maximum, This can be used to overrun the memory buffer. However, once the sequence     of digits stop, no additional characters can be added to the buffer. In our opinion, this makes remote     exploits impossible or at least highly complex. Octet-counted framing is one of two potential framing     modes. It is relatively uncommon, but enabled by default on receivers. Modules `imtcp`, `imptcp`,     `imgssapi`, and `imhttp` are used for regular syslog message reception. It is best practice not to     directly expose them to the public. When this practice is followed, the risk is considerably lower. Module     `imdiag` is a diagnostics module primarily intended for testbench runs. We do not expect it to be present     on any production installation. Octet-counted framing is not very common. Usually, it needs to be     specifically enabled at senders. If users do not need it, they can turn it off for the most important     modules. This will mitigate the vulnerability. (CVE-2022-24903)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

According to the versions of the rsyslog packages installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerabilities :

  - The zmq3 input and output modules in rsyslog before 8.28.0 interpreted description fields as format     strings, possibly allowing a format string attack with unspecified impact. (CVE-2017-12588)

  - Rsyslog is a rocket-fast system for log processing. Modules for TCP syslog reception have a potential heap     buffer overflow when octet-counted framing is used. This can result in a segfault or some other     malfunction. As of our understanding, this vulnerability can not be used for remote code execution. But     there may still be a slight chance for experts to do that. The bug occurs when the octet count is read.
    While there is a check for the maximum number of octets, digits are written to a heap buffer even when the     octet count is over the maximum, This can be used to overrun the memory buffer. However, once the sequence     of digits stop, no additional characters can be added to the buffer. In our opinion, this makes remote     exploits impossible or at least highly complex. Octet-counted framing is one of two potential framing     modes. It is relatively uncommon, but enabled by default on receivers. Modules `imtcp`, `imptcp`,     `imgssapi`, and `imhttp` are used for regular syslog message reception. It is best practice not to     directly expose them to the public. When this practice is followed, the risk is considerably lower. Module     `imdiag` is a diagnostics module primarily intended for testbench runs. We do not expect it to be present     on any production installation. Octet-counted framing is not very common. Usually, it needs to be     specifically enabled at senders. If users do not need it, they can turn it off for the most important     modules. This will mitigate the vulnerability. (CVE-2022-24903)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The version of AOS installed on the remote host is prior to 6.5.3. It is, therefore, affected by multiple vulnerabilities as referenced in the NXSA-AOS-6.5.3 advisory.

  - net/netfilter/nf_tables_api.c in the Linux kernel through 5.18.1 allows a local user (able to create     user/net namespaces) to escalate privileges to root because an incorrect NFT_STATEFUL_EXPR check leads to     a use-after-free. (CVE-2022-32250)

  - zlib through 1.2.12 has a heap-based buffer over-read or buffer overflow in inflate in inflate.c via a     large gzip header extra field. NOTE: only applications that call inflateGetHeader are affected. Some     common applications bundle the affected zlib source code but may be unable to call inflateGetHeader (e.g.,     see the nodejs/node reference). (CVE-2022-37434)

  - mm/rmap.c in the Linux kernel before 5.19.7 has a use-after-free related to leaf anon_vma double reuse.
    (CVE-2022-42703)

  - A stack overflow flaw was found in the Linux kernel's SYSCTL subsystem in how a user changes certain     kernel parameters and variables. This flaw allows a local user to crash or potentially escalate their     privileges on the system. (CVE-2022-4378)

  - Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE     (component: Serialization). Supported versions that are affected are Oracle Java SE: 8u351, 8u351-perf;
    Oracle GraalVM Enterprise Edition: 20.3.8 and 21.3.4. Easily exploitable vulnerability allows     unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle     GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized update,     insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data.
    Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web     Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from     the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java     deployments, typically in servers, that load and run only trusted code (e.g., code installed by an     administrator). (CVE-2023-21830)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

ID	Name	Product	Family	Published	Updated	Severity
168927	NewStart CGSL MAIN 6.02 : rsyslog Vulnerability (NS-SA-2022-0105)	Nessus	NewStart CGSL Local Security Checks	12/19/2022	12/19/2022	high
160674	Ubuntu 18.04 LTS / 20.04 LTS / 22.04 LTS : Rsyslog vulnerability (USN-5404-1)	Nessus	Ubuntu Local Security Checks	5/6/2022	8/28/2024	high
161672	RHEL 8 : rsyslog (RHSA-2022:4802)	Nessus	Red Hat Local Security Checks	5/30/2022	11/7/2024	high
161677	RHEL 8 : rsyslog (RHSA-2022:4800)	Nessus	Red Hat Local Security Checks	5/30/2022	11/8/2024	high
161680	Oracle Linux 8 : rsyslog (ELSA-2022-4799)	Nessus	Oracle Linux Local Security Checks	5/30/2022	10/24/2024	high
161710	RHEL 6 : rsyslog and rsyslog7 (RHSA-2022:4808)	Nessus	Red Hat Local Security Checks	5/31/2022	11/7/2024	high
161758	Scientific Linux Security Update : rsyslog on SL7.x x86_64 (2022:4803)	Nessus	Scientific Linux Local Security Checks	6/1/2022	6/1/2022	high
208544	CentOS 7 : rsyslog (RHSA-2022:4803)	Nessus	CentOS Local Security Checks	10/9/2024	10/9/2024	high
161998	Amazon Linux AMI : rsyslog (ALAS-2022-1594)	Nessus	Amazon Linux Local Security Checks	6/10/2022	12/11/2024	high
168552	Amazon Linux 2022 : rsyslog (ALAS2022-2022-211)	Nessus	Amazon Linux Local Security Checks	12/9/2022	12/11/2024	high
170807	EulerOS Virtualization 3.0.2.2 : rsyslog (EulerOS-SA-2023-1291)	Nessus	Huawei Local Security Checks	1/30/2023	1/30/2023	critical
175818	Nutanix AOS : Multiple Vulnerabilities (NXSA-AOS-6.5.3)	Nessus	Misc.	5/16/2023	2/17/2025	critical

Detections

Analytics

Plugins Search

high

high

high

high

high

high

high

high

high

high

critical

critical