CVE-2018-16865: Buffer Overflow
First published: Tue Nov 27 2018(Updated: )
A flaw was found in systemd-journald. An uncontrolled alloca() by writing a crafted message to /run/systemd/journal/socket that results in a stack buffer overflow. This can lead to a denial of service attack or arbitrary code execution in some cases.
Credit: secalert@redhat.com secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Systemd Project Systemd | <=240 | |
| Redhat Enterprise Linux Desktop | =7.0 | |
| Redhat Enterprise Linux Server | =7.0 | |
| Redhat Enterprise Linux Server Aus | =7.3 | |
| Redhat Enterprise Linux Server Aus | =7.6 | |
| Redhat Enterprise Linux Server Eus | =7.5 | |
| Redhat Enterprise Linux Server Eus | =7.6 | |
| Redhat Enterprise Linux Server Tus | =7.3 | |
| Redhat Enterprise Linux Server Tus | =7.6 | |
| Redhat Enterprise Linux Workstation | =7.0 | |
| Debian Debian Linux | =8.0 | |
| Debian Debian Linux | =9.0 | |
| Canonical Ubuntu Linux | =16.04 | |
| Canonical Ubuntu Linux | =18.04 | |
| Canonical Ubuntu Linux | =18.10 | |
| Oracle Communications Session Border Controller | =8.0.0 | |
| Oracle Communications Session Border Controller | =8.1.0 | |
| Oracle Communications Session Border Controller | =8.2.0 | |
| Oracle Enterprise Communications Broker | =3.0.0 | |
| Oracle Enterprise Communications Broker | =3.1.0 | |
| debian/systemd | <=240-2<=43-1<=232-25+deb9u6 | 240-4 232-25+deb9u7 |
| ubuntu/systemd | <237-3ubuntu10.11 | 237-3ubuntu10.11 |
| ubuntu/systemd | <239-7ubuntu10.6 | 239-7ubuntu10.6 |
| ubuntu/systemd | <229-4ubuntu21.15 | 229-4ubuntu21.15 |
| debian/systemd | 247.3-7+deb11u5 252.26-1~deb12u2 256.4-3 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://packetstormsecurity.com/files/152841/System-Down-A-systemd-journald-Exploit.html
- http://seclists.org/fulldisclosure/2019/May/21
- http://www.openwall.com/lists/oss-security/2019/05/10/4
- http://www.openwall.com/lists/oss-security/2021/07/20/2
- http://www.securityfocus.com/bid/106525
- https://access.redhat.com/errata/RHBA-2019:0327
- https://access.redhat.com/errata/RHSA-2019:0049
- https://access.redhat.com/errata/RHSA-2019:0204
- https://access.redhat.com/errata/RHSA-2019:0271
- https://access.redhat.com/errata/RHSA-2019:0342
- https://access.redhat.com/errata/RHSA-2019:0361
- https://access.redhat.com/errata/RHSA-2019:2402
- https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-16865
- https://lists.debian.org/debian-lts-announce/2019/01/msg00016.html
- https://seclists.org/bugtraq/2019/May/25
- https://security.gentoo.org/glsa/201903-07
- https://security.netapp.com/advisory/ntap-20190117-0001/
- https://usn.ubuntu.com/3855-1/
- https://www.debian.org/security/2019/dsa-4367
- https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html
- https://www.qualys.com/2019/01/09/system-down/system-down.txt
- https://security-tracker.debian.org/tracker/CVE-2018-16865
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16865
- https://www.openwall.com/lists/oss-security/2019/01/09/3
- https://salsa.debian.org/systemd-team/systemd/commit/ce0e48e43979e955df2413dca23c64088a729ed8
- https://security-tracker.debian.org/tracker/CVE-2018-16864
- https://bugs.debian.org/918848
- https://github.com/systemd/systemd/issues/9461
- https://salsa.debian.org/tails-team/systemd/
- https://github.com/systemd/systemd/issues/11502
- https://security-tracker.debian.org/tracker/CVE-2018-16866
- https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=918848
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1653861#c0
- https://access.redhat.com/security/updates/classification/
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1664973
- https://github.com/systemd/systemd/commit/052c57f132f04a3cf4148f87561618da1a6908b4
- https://github.com/systemd/systemd/commit/ef4d6abe7c7fab6cbff975b32e76b09feee56074
- https://bugzilla.redhat.com/show_bug.cgi?id=1653861
- https://launchpad.net/bugs/cve/CVE-2018-16865
- https://github.com/systemd/systemd/commit/cf244689e9d1ab50082c9ddd0f3c4d1eb982badc
- https://github.com/systemd/systemd/commit/c4aa09b06f835c91cea9e021df4c3605cff2318d
- https://github.com/systemd/systemd/pull/11374
- https://ubuntu.com/security/notices/USN-3855-1
- https://www.cve.org/CVERecord?id=CVE-2018-16865
- https://nvd.nist.gov/vuln/detail/CVE-2018-16865
- https://ubuntu.com/security/CVE-2018-16865
Frequently Asked Questions
What is CVE-2018-16865?
CVE-2018-16865 is a vulnerability in systemd-journald that allows an attacker to crash the system by allocating memory without limits.
What is the severity of CVE-2018-16865?
The severity of CVE-2018-16865 is high, with a CVSS score of 7.8.
How can an attacker exploit CVE-2018-16865?
An attacker can exploit CVE-2018-16865 by sending a large number of entries to the journal socket in systemd-journald, causing the stack to clash with another memory region and potentially crashing the system.
How can I fix CVE-2018-16865 on Ubuntu systems?
To fix CVE-2018-16865 on Ubuntu systems, update the systemd package to version 229-4ubuntu21.15.
Where can I find more information about CVE-2018-16865?
You can find more information about CVE-2018-16865 at the following references:• [MITRE CVE-2018-16865](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16865)• [Ubuntu Security Notice USN-3855-1](https://ubuntu.com/security/notices/USN-3855-1)• [NVD CVE-2018-16865](https://nvd.nist.gov/vuln/detail/CVE-2018-16865)
- collector/nvd-index
- collector/debian-bugs
- alias/CVE-2018-16865
- agent/remedy
- collector/redhat-bugzilla
- source/Red Hat
- collector/launchpad-cve
- source/Launchpad
- agent/first-publish-date
- agent/type
- agent/author
- agent/weakness
- agent/references
- agent/description
- collector/nvd-cve
- source/NVD
- agent/software-canonical-lookup
- collector/security-tracker-debian
- source/Debian
- agent/softwarecombine
- collector/mitre-cve
- source/MITRE
- agent/severity
- agent/last-modified-date
- agent/tags
- agent/event
- collector/usn-cve
- source/Ubuntu
- vendor/systemd project
- canonical/systemd project systemd
- version/systemd project systemd/240
- vendor/redhat
- canonical/redhat enterprise linux desktop
- version/redhat enterprise linux desktop/7.0
- canonical/redhat enterprise linux server
- version/redhat enterprise linux server/7.0
- canonical/redhat enterprise linux server aus
- version/redhat enterprise linux server aus/7.3
- version/redhat enterprise linux server aus/7.6
- canonical/redhat enterprise linux server eus
- version/redhat enterprise linux server eus/7.5
- version/redhat enterprise linux server eus/7.6
- canonical/redhat enterprise linux server tus
- version/redhat enterprise linux server tus/7.3
- version/redhat enterprise linux server tus/7.6
- canonical/redhat enterprise linux workstation
- version/redhat enterprise linux workstation/7.0
- vendor/debian
- canonical/debian debian linux
- version/debian debian linux/8.0
- version/debian debian linux/9.0
- vendor/canonical
- canonical/canonical ubuntu linux
- version/canonical ubuntu linux/16.04
- version/canonical ubuntu linux/18.04
- version/canonical ubuntu linux/18.10
- vendor/oracle
- canonical/oracle communications session border controller
- version/oracle communications session border controller/8.0.0
- version/oracle communications session border controller/8.1.0
- version/oracle communications session border controller/8.2.0
- canonical/oracle enterprise communications broker
- version/oracle enterprise communications broker/3.0.0
- version/oracle enterprise communications broker/3.1.0
- package-manager/debian
- package-manager/ubuntu