Critical Fluent Bit flaw affects major cloud platforms, tech companies’ offerings (CVE-2024-4323)
Tenable researchers have discovered a critical vulnerability (CVE-2024-4323) in Fluent Bit, a logging utility used by major cloud providers and tech companies, which may be leveraged for denial of service, information disclosure, or remote code execution.
About CVE-2024-4323
Fluent Bit is an open-source data collection, processing and forwarding utility for Linux, BSD, macOS and Windows that can easily handle large volumes of log data, which is why the likes of Google Cloud, AWS, Digital Ocean, Cisco, Sumo Logic, Intel, and other high-profile tech companies are using it.
CVE-2024-4323 (aka “Linguistic Lumberjack”) is a buffer overflow vulnerability in the utility’s built-in HTTP server, and may be exploited to crash the service, leading to denial of service.
“[The researchers] were also able to retrieve chunks of adjacent memory, which are returned in the HTTP responses. While this is generally unlikely to reveal anything other than previous metrics requests, the researchers were able to occasionally retrieve partial secrets during their testing, indicating that this issue could potentially leak sensitive information,” Tenable researcher Jimi Sebree explained.
Using this vulnerability to achieve remote code execution is much harder, he said, so there is no immediate risk of that.
More technical details about the flaw as well as a PoC for demonstrating the vulnerability’s crashing potential can be found here.
What to do?
“This issue was ultimately fixed by properly validating the data types of values in the ‘inputs’ array sent to the ‘traces’ endpoint,” Sebree shared.
Companies that deploy it in their environments are advised to upgrade to Fluent Bit v3.0.4, which will be released soon. Linux packages with the fix are already available. It that’s not possible, they should make sure that access to Fluent Bit’s monitoring API is given only to authorized users and services.
“If you rely on cloud services that are known to make use of Fluent Bit, we recommend reaching out to your cloud provider to ensure that updates or mitigations are deployed in a timely manner. With regards to usage by major cloud providers, Tenable notified Microsoft, Amazon, and Google of this issue via their respective vulnerability disclosure mechanisms on May 15, 2024 so that they could begin their internal triage processes,” Sebree concluded.