A flaw was found in the way rsyslog handled invalid log message priority values. In certain configurations, a local attacker, or a remote attacker able to connect to the rsyslog port, could use this flaw to crash the rsyslog daemon or, potentially in rsyslog 7.x, execute arbitrary code as the user running the rsyslog daemon.
Find out more about CVE-2014-3634 from the MITRE CVE dictionary dictionary and NIST NVD.
| Base Score | 6.8 |
|---|---|
| Base Metrics | AV:A/AC:H/Au:N/C:C/I:C/A:C |
| Access Vector | Adjacent Network |
| Access Complexity | High |
| Authentication | None |
| Confidentiality Impact | Complete |
| Integrity Impact | Complete |
| Availability Impact | Complete |
Find out more about Red Hat support for the Common Vulnerability Scoring System (CVSS).
| Platform | Errata | Release Date |
|---|---|---|
| Red Hat Enterprise Linux 6 (rsyslog) | RHSA-2014:1671 | 2014-10-20 |
| Red Hat Enterprise Linux 6 (rsyslog7) | RHSA-2014:1654 | 2014-10-16 |
| Red Hat Enterprise Linux 5 (rsyslog5) | RHSA-2014:1671 | 2014-10-20 |
| Red Hat Enterprise Linux 7 (rsyslog) | RHSA-2014:1397 | 2014-10-13 |
| Platform | Package | State |
|---|---|---|
| Red Hat OpenShift Enterprise 2 | rsyslog7 | Affected |
| Red Hat Gluster Storage 2.1 | rsyslog | Will not fix |
| Red Hat Enterprise Linux 5 | rsyslog | Will not fix |
| Red Hat Enterprise Linux 5 | sysklogd | Will not fix |
Vulmon