StarlingX

CVE-2018-19115: keepalived has a Heap-based buffer overflow vulnerability

Bug #1820759 reported by Ken Young
20
This bug affects 1 person
Affects Status Importance Assigned to Milestone
StarlingX
Fix Released
High
Mawrer Amed Ramirez Martinez

Bug Description

Title
-----
CVE-2018-19115: keepalived has a Heap-based buffer overflow vulnerability

Brief Description
-----------------
Heap-based buffer overflow vulnerability in extract_status_code() function in lib/html.c that parses HTTP status code returned from web server allows malicious web server or man-in-the-middle attacker pretending to be a web server to cause either a denial of service or potentially execute arbitrary code on keepalived load balancer.

+----------------+----------------------------------------------------------------------------------+
| CVE-2018-19115 | |
+----------------+----------------------------------------------------------------------------------+
| Max Score | 9.8 CRITICAL (nvd) |
| nvd | 9.8/CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CRITICAL |
| redhat | 8.1/CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H IMPORTANT |
| nvd | 7.5/AV:N/AC:L/Au:N/C:P/I:P/A:P HIGH |
| Summary | keepalived before 2.0.7 has a heap-based buffer overflow when parsing HTTP |
| | status codes resulting in DoS or possibly unspecified other impact, because |
| | extract_status_code in lib/html.c has no validation of the status code and |
| | instead writes an unlimited amount of data to the heap. |
| CWE | CWE-122: Heap-based Buffer Overflow (redhat) |
| CWE | CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer |
| | (nvd) |
| Affected Pkg | keepalived-1.3.5-6.el7 -> 1.3.5-8.el7_6 (updates) |
| Confidence | 100 / OvalMatch |
| Source | https://nvd.nist.gov/vuln/detail/CVE-2018-19115 |
| CVSSv2 Calc | https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?name=CVE-2018-19115 |
| CVSSv3 Calc | https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?name=CVE-2018-19115 |
| RHEL-CVE | https://access.redhat.com/security/cve/CVE-2018-19115 |
| CWE | https://cwe.mitre.org/data/definitions/CWE-122.html |
| CWE | https://cwe.mitre.org/data/definitions/CWE-119.html |
+----------------+----------------------------------------------------------------------------------+

Severity
--------
<Major: System/Feature is usable but degraded>

Steps to Reproduce
------------------
N/A

Expected Behavior
------------------
N/A

Actual Behavior
----------------
N/A

Reproducibility
---------------
N/A

System Configuration
--------------------
N/A

Branch/Pull Time/Commit
-----------------------
N/A

Timestamp/Logs
--------------
N/A

CVE References

Ken Young (kenyis)
Changed in starlingx:
importance: Undecided → High
Ghada Khalil (gkhalil)
tags: added: stx.2019.05 stx.security
Bruce Jones (brucej)
Changed in starlingx:
assignee: nobody → Cesar Lara (clara1)
Revision history for this message
Ken Young (kenyis) wrote :

This CVE was fixed upstream on Jan 3rd. Please update the following package to fix this CVE:

keepalived-1.3.5-6.el7 -> 1.3.5-8.el7_6 (updates)

Ghada Khalil (gkhalil)
Changed in starlingx:
status: New → Triaged
Ken Young (kenyis)
tags: added: stx.build
Revision history for this message
Ken Young (kenyis) wrote :

Review is here:

https://review.openstack.org/#/c/648788/

Revision history for this message
Michel Thebeau [WIND] (mthebeau) wrote :

The CentOS security announcement lists all of the affected packages; this URL should have been listed in the bug description:

https://lists.centos.org/pipermail/centos-announce/2019-January/023140.html

Sometimes there may be more than one CentOS security annoucement for a CVE; all of these should be listed in the bug description.

A method can be used to verify the RPM files listed in the CentOS announcement(s) are updated... though in this case, one RPM file, the method is not required:

list="keepalived"
find . | xargs rpm -qp --queryformat="%{NAME},%{SOURCERPM}\n" 2>/dev/null | grep "^\($( echo $list | sed "s; ;\\\|;g" )\),"

keepalived,keepalived-1.3.5-6.el7.src.rpm

Revision history for this message
Mawrer Amed Ramirez Martinez (marami3) wrote :

the new review is here:
https://review.openstack.org/#/c/649143/

Revision history for this message
Michel Thebeau [WIND] (mthebeau) wrote :

Thanks; please comment about the testing which is performed for this change.

Revision history for this message
Michel Thebeau [WIND] (mthebeau) wrote :

Hi,

I was reviewing the impact of keepalived on the starlingx system, and I'm finding that keepalived is absent from the build output "ISO".

I believe it's been moved to the container starlingx/stx-neutron: keepalived-1.3.5-8.el7_6

The version presented in that container is the correct version. I'm intending to -1 the review, and we can discuss the detail offline.

M

Revision history for this message
Michel Thebeau [WIND] (mthebeau) wrote :

I confirm that keepalived is version 1.3.5-8.el7_6 within starlingx/stx-neutron container, based on CENGN load 20190325T013001Z.

Based on my most recent scan I do not find it presented on the ISO image or within any other container.

Revision history for this message
Michel Thebeau [WIND] (mthebeau) wrote :

I took the question of what to do with keepalived rpm listed in "centos-mirror-tools/rpms_centos.lst" offline.

This CVE bug report no longer applies. The CVE was fixed when we started building neutron docker image from latest upstream sources.

We can intend to remove the package reference under this bug report, or close it if you like. I will intend to start new build with keepalived removed from that .lst file; it is not longer required here.

Revision history for this message
Mawrer Amed Ramirez Martinez (marami3) wrote :

ok, I'll proceed to Abandon the current review for keepalived, also I'll start a new build with the package removed from the .lst file.

Ken Young (kenyis)
tags: added: stx.2.0
removed: stx.2019.05
Ken Young (kenyis)
Changed in starlingx:
status: Triaged → Fix Released
assignee: Cesar Lara (clara1) → Mawrer Amed Ramirez Martinez (marami3)
Revision history for this message
Ken Young (kenyis) wrote :

FYI - the review to remove the package:

https://review.opendev.org/#/c/649143/

Revision history for this message
Victor Manuel Rodriguez Bahena (vm-rod25) wrote : Re: [Bug 1820759] Re: CVE-2018-19115: keepalived has a Heap-based buffer overflow vulnerability
Download full text (4.1 KiB)

Yes I was aware of this, the one I am not sure what is the state is systemd

In summary

keepalived -> remove the pkg -> no more CVE
perl -> Ok it should be merged soon, it not merged yet
systemd -> not sure of the status of that one

regards

On Mon, Apr 22, 2019 at 11:35 AM Ken Young <email address hidden> wrote:
>
> FYI - the review to remove the package:
>
> https://review.opendev.org/#/c/649143/
>
> --
> You received this bug notification because you are subscribed to the bug
> report.
> https://bugs.launchpad.net/bugs/1820759
>
> Title:
> CVE-2018-19115: keepalived has a Heap-based buffer overflow
> vulnerability
>
> Status in StarlingX:
> Fix Released
>
> Bug description:
> Title
> -----
> CVE-2018-19115: keepalived has a Heap-based buffer overflow vulnerability
>
> Brief Description
> -----------------
> Heap-based buffer overflow vulnerability in extract_status_code() function in lib/html.c that parses HTTP status code returned from web server allows malicious web server or man-in-the-middle attacker pretending to be a web server to cause either a denial of service or potentially execute arbitrary code on keepalived load balancer.
>
> +----------------+----------------------------------------------------------------------------------+
> | CVE-2018-19115 | |
> +----------------+----------------------------------------------------------------------------------+
> | Max Score | 9.8 CRITICAL (nvd) |
> | nvd | 9.8/CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CRITICAL |
> | redhat | 8.1/CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H IMPORTANT |
> | nvd | 7.5/AV:N/AC:L/Au:N/C:P/I:P/A:P HIGH |
> | Summary | keepalived before 2.0.7 has a heap-based buffer overflow when parsing HTTP |
> | | status codes resulting in DoS or possibly unspecified other impact, because |
> | | extract_status_code in lib/html.c has no validation of the status code and |
> | | instead writes an unlimited amount of data to the heap. |
> | CWE | CWE-122: Heap-based Buffer Overflow (redhat) |
> | CWE | CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer |
> | | (nvd) |
> | Affected Pkg | keepalived-1.3.5-6.el7 -> 1.3.5-8.el7_6 (updates) |
> | Confidence | 100 / OvalMatch |
> | Source | https://nvd.nist.gov/vuln/detail/CVE-2018-19115 |
> | CVSSv2 Calc | https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?name=CVE-2018-19115 |
> | CVSSv3 Calc | https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?name=CVE-2018-19115 |
> |...

Read more...

Ken Young (kenyis)
information type: Private Security → Public
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.