Cybersecurity researchers have found a vital safety flaw in a preferred logging and metrics utility known as Fluent Bit that could possibly be exploited to attain denial-of-service (DoS), data disclosure, or distant code execution.
The vulnerability, tracked as CVE-2024-4323, has been codenamed Linguistic Lumberjack by Tenable Analysis. It impacts variations from 2.0.7 via 3.0.3, with fixes accessible in model 3.0.4.
The difficulty pertains to a case of reminiscence corruption in Fluent Bit’s built-in HTTP server that would enable for DoS, data leakage, or distant code execution.
Particularly, it pertains to sending maliciously crafted requests to the monitoring API via endpoints similar to /api/v1/traces and /api/v1/hint.
“Regardless of whether or not any traces are configured, it is still possible for any user with access to this API endpoint to query it,” safety researcher Jimi Sebree stated.
“During the parsing of incoming requests for the /api/v1/traces endpoint, the data types of input names are not properly validated before being parsed.”
By default, the information varieties are assumed to be strings (i.e., MSGPACK_OBJECT_STR), which a risk actor may exploit by passing non-string values, resulting in reminiscence corruption.
Tenable stated it was in a position to reliably exploit the difficulty to crash the service and trigger a DoS situation. Distant code execution, however, depends on quite a lot of environmental elements similar to host structure and working system.
Customers are really helpful to replace to the newest model to mitigate potential safety threats, particularly given {that a} proof-of-concept (PoC) exploit has been made accessible for the flaw.
