Cybersecurity researchers have found a crucial security flaw in a well-liked logging and metrics utility referred to as Fluent Bit that may very well be exploited to realize denial-of-service (DoS), info disclosure, or distant code execution.
The vulnerability, tracked as CVE-2024-4323, has been codenamed Linguistic Lumberjack by Tenable Analysis. It impacts variations from 2.0.7 by 3.0.3, with fixes accessible in model 3.0.4.
The difficulty pertains to a case of reminiscence corruption in Fluent Bit’s built-in HTTP server that might permit for DoS, info leakage, or distant code execution.
Particularly, it pertains to sending maliciously crafted requests to the monitoring API by endpoints akin to /api/v1/traces and /api/v1/hint.
“No matter whether or not or not any traces are configured, it’s nonetheless doable for any person with entry to this API endpoint to question it,” security researcher Jimi Sebree mentioned.
“Through the parsing of incoming requests for the /api/v1/traces endpoint, the info varieties of enter names will not be correctly validated earlier than being parsed.”
By default, the info sorts are assumed to be strings (i.e., MSGPACK_OBJECT_STR), which a menace actor might exploit by passing non-string values, resulting in reminiscence corruption.
Tenable mentioned it was in a position to reliably exploit the problem to crash the service and trigger a DoS situation. Distant code execution, however, depends on quite a lot of environmental elements akin to host structure and working system.
Customers are really useful to replace to the newest model to mitigate potential security threats, particularly given {that a} proof-of-concept (PoC) exploit has been made accessible for the flaw.
