www.belgium.be Logo of the federal government

Warning: A Critical Vulnerability Affects Fluent Bit

Reference: 
Advisory #2024-68
Version: 
1.0
Affected software: 
Fluent Bit versions 2.0.7 through 3.0.3
Type: 
Denial of Service, Information disclosure, Remote code execution
CVE/CVSS: 

CVE-2024-4323 :CVSS 9.8 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

Sources

https://github.com/fluent/fluent-bit/commit/9311b43a258352797af40749ab31a63c32acfd04

Risks

Fluent Bit, is a very popular logging and metrics solution for Windows, Linux, and MacOS X embedded in major Kubernetes distributions, including those from Amazon AWS, Google GCP, and Microsoft Azure.

Fluent Bit is affected by a memory corruption vulnerability that has a low attack complexity, does not require any privileges and has a HIGH impact on Confidentiality, Integrity and Availability.

Description

CVE-2024-4323: Memory Corruption

A memory corruption vulnerability is affecting Fluent Bit versions 2.0.7 through 3.0.3. The issue lies in the embedded HTTP server’s parsing mechanism of trace requests that are addressed to its monitoring API.

Fluent Bit’s monitoring API is intended to allow administrators or other users to query and monitor information internal to the service itself. /api/v1/traces and /api/v1/trace, which allow end-users to enable, disable, or retrieve information about configured traces, can be queried by any user with access to this API. By passing non-string values in the “inputs” array of requests, such as integer values, it is possible to cause a variety of memory corruption issues that could lead to denial of service conditions, information disclosure, or remote code execution.

Recommended Actions

Patch

The Centre for Cybersecurity Belgium strongly recommends installing updates for any of the vulnerable software mentioned in the present advisory.

Monitor/Detect

The CCB recommends organizations upscale monitoring and detection capabilities to identify any related suspicious activity, ensuring a swift response in case of an intrusion.

In case of an intrusion, you can report an incident via: https://cert.be/en/report-incident

While patching appliances or software to the newest version may provide safety from future exploitation, it does not remediate historic compromise.

References

https://www.tenable.com/security/research/tra-2024-17

https://www.bleepingcomputer.com/news/security/critical-fluent-bit-flaw-impacts-all-major-cloud-providers/