“Linguistic Lumberjack” Vulnerability Found in Fashionable Logging Utility Fluent Bit

Could 21, 2024NewsroomCyber Assault / API Safety

Cybersecurity researchers have found a vital safety flaw in a preferred logging and metrics utility known as Fluent Bit that could possibly be exploited to attain denial-of-service (DoS), data disclosure, or distant code execution.

The vulnerability, tracked as CVE-2024-4323, has been codenamed Linguistic Lumberjack by Tenable Analysis. It impacts variations from 2.0.7 via 3.0.3, with fixes accessible in model 3.0.4.

The difficulty pertains to a case of reminiscence corruption in Fluent Bit’s built-in HTTP server that would enable for DoS, data leakage, or distant code execution.

Particularly, it pertains to sending maliciously crafted requests to the monitoring API via endpoints similar to /api/v1/traces and /api/v1/hint.

Cybersecurity

“Regardless of whether or not any traces are configured, it is still possible for any user with access to this API endpoint to query it,” safety researcher Jimi Sebree stated.

“During the parsing of incoming requests for the /api/v1/traces endpoint, the data types of input names are not properly validated before being parsed.”

Fluent Bit Vulnerability

By default, the information varieties are assumed to be strings (i.e., MSGPACK_OBJECT_STR), which a risk actor may exploit by passing non-string values, resulting in reminiscence corruption.

Tenable stated it was in a position to reliably exploit the difficulty to crash the service and trigger a DoS situation. Distant code execution, however, depends on quite a lot of environmental elements similar to host structure and working system.

Customers are really helpful to replace to the newest model to mitigate potential safety threats, particularly given {that a} proof-of-concept (PoC) exploit has been made accessible for the flaw.

Discovered this text fascinating? Comply with us on Twitter and LinkedIn to learn extra unique content material we publish.

Recent articles

INTERPOL Pushes for

Dec 18, 2024Ravie LakshmananCyber Fraud / Social engineering INTERPOL is...

Patch Alert: Essential Apache Struts Flaw Discovered, Exploitation Makes an attempt Detected

Dec 18, 2024Ravie LakshmananCyber Assault / Vulnerability Risk actors are...