A recent discovery has brought attention to a critical vulnerability in Fluent Bit’s built-in HTTP server, known as “Linguistic Lumberjack” (CVE-2024-4323). This vulnerability has been classified as critical, with a severity rating of 9.8. The exploitation of this vulnerability poses various risks, including denial of service, information disclosure, and remote code execution.
The vulnerability affects Fluent Bit versions 2.0.7 through 3.0.3. However, users can expect a patch for this vulnerability in the latest release of Fluent Bit 3.0.4. Fluent Bit is a lightweight, open-source data collector and processor designed to handle large volumes of log data from multiple sources.
According to reports shared by Tenable, the vulnerability in Fluent Bit’s built-in HTTP server stems from memory corruption. This vulnerability can be exploited to achieve a denial of service, information disclosure, or remote code execution. Fluent Bit’s monitoring API allows users to query and monitor internal information within the service. Endpoints such as /api/v1/traces and /api/v1/trace enable users to enable, disable, or retrieve information about configured traces.
The vulnerability arises from improper validation of input data types when parsing requests to the /api/v1/traces endpoint. When non-string values are parsed, it can result in memory corruptions within Fluent Bit. Further analysis of the code revealed that the issue lies in the assignment of the input_name variable using the flb_sds_create_len() function. Passing large integer values or negative values can lead to crashes in Fluent Bit due to “wild copy” calls to the memcpy() function.
Negative values can also trigger heap overwrites of adjacent memory, creating a similar threat. Researchers identified several scenarios where integer values of varying magnitudes could initiate stack corruption. Exploiting this vulnerability resulted in a service crash and denial of service. Additionally, researchers were able to retrieve chunks of adjacent memory in HTTP responses, potentially leaking sensitive information and leading to information disclosure.
The vulnerability presents a risk of remote code execution, with factors dependent on host architecture and operating system. While crafting an exploit may be time-sensitive, it remains exploitable until patched. The commit addressing this improper input validation offers a solution to mitigate the risk.
To prevent threat actors from exploiting this vulnerability, it is recommended that Fluent Bit users upgrade to the latest version. With the release of Fluent Bit 3.0.4, users can ensure their systems are secured against potential attacks. Stay informed and stay protected.