Cybersecurity researchers have found a important security flaw in a well-liked logging and metrics utility referred to as Fluent Bit that may very well be exploited to attain denial-of-service (DoS), info disclosure, or distant code execution.
The vulnerability, tracked as CVE-2024-4323, has been codenamed Linguistic Lumberjack by Tenable Analysis. It impacts variations from 2.0.7 by means of 3.0.3, with fixes out there in model 3.0.4.
The problem pertains to a case of reminiscence corruption in Fluent Bit’s built-in HTTP server that might permit for DoS, info leakage, or distant code execution.
Particularly, it pertains to sending maliciously crafted requests to the monitoring API by means of endpoints similar to /api/v1/traces and /api/v1/hint.
“No matter whether or not or not any traces are configured, it’s nonetheless attainable for any person with entry to this API endpoint to question it,” security researcher Jimi Sebree mentioned.
“In the course of the parsing of incoming requests for the /api/v1/traces endpoint, the information forms of enter names usually are not correctly validated earlier than being parsed.”
By default, the information varieties are assumed to be strings (i.e., MSGPACK_OBJECT_STR), which a risk actor might exploit by passing non-string values, resulting in reminiscence corruption.
Tenable mentioned it was in a position to reliably exploit the problem to crash the service and trigger a DoS situation. Distant code execution, alternatively, depends on a wide range of environmental elements similar to host structure and working system.
Customers are beneficial to replace to the most recent model to mitigate potential security threats, particularly given {that a} proof-of-concept (PoC) exploit has been made out there for the flaw.
