Critical Vulnerability Discovered in Fluent Bit Cloud Logging Tool

Published:

A severe memory corruption vulnerability has been discovered in Fluent Bit, a widely-used open-source cloud logging utility. This issue poses significant risks, including denial of service (DoS), data leakage, and remote code execution (RCE).

Fluent Bit, utilized for collecting, processing, and forwarding logs, boasts over 3 billion downloads as of 2022 and sees an additional 10 million deployments daily. Major organizations such as VMware, Cisco, Adobe, Walmart, LinkedIn, and leading cloud service providers like AWS, Microsoft, and Google Cloud rely on this tool.

The vulnerability, dubbed “Linguistic Lumberjack” by Tenable researchers, stems from how Fluent Bit’s embedded HTTP server parses trace requests. Manipulated requests can exploit this flaw, leading to severe security breaches in cloud environments.

“Everyone focuses on vulnerabilities in Azure, AWS, GCP, but often overlooks the core technologies underlying these services,” said Jimi Sebree, senior staff research engineer at Tenable. “It’s crucial to examine the application security of these fundamental components.”

Tenable researchers, while investigating another security issue, discovered they could access a range of internal metrics and logging endpoints of a cloud service provider, including instances of Fluent Bit. This cross-tenant data leakage originated from endpoints in Fluent Bit’s monitoring API, which allows users to query and monitor its internal data. Further testing revealed that improperly validated data types in the /api/v1/traces endpoint could cause memory corruption, leading to crashes and potential data leaks.

Attackers could potentially exploit this vulnerability for RCE, although such an attack would require significant customization to the target’s operating system and architecture.

The bug affects Fluent Bit versions 2.0.7 through 3.0.3 and is tracked under CVE-2024-4323. It has received critical CVSS scores exceeding 9.5 out of 10. The Fluent Bit maintainers addressed the issue by updating the service to properly validate data types in the problematic endpoint’s input field. This fix was applied to the main branch on GitHub on May 15.

Organizations using Fluent Bit are urged to update their deployments immediately. Alternatively, administrators can review and restrict access to Fluent Bit’s monitoring API to authorized users only.

Related articles

spot_img