On Monday, Tenable revealed a critical memory corruption vulnerability in Fluent Bit, an open source logging utility widely used by major cloud vendors. The bug, identified as CVE-2024-4323, affects Fluent Bit versions 2.0.7 through 3.0.3, posing risks such as denial-of-service attacks, information leaks, and even remote code execution. According to Jimi Sebree, a senior staff research engineer at Tenable, the flaw stems from a validation issue within the software’s embedded HTTP server. Tenable reported the vulnerability to project maintainers on April 30, and fixes were implemented in version 3.0.4 on May 15.
Sebree emphasized that Fluent Bit serves as a vital component for many major cloud providers and has been downloaded over 3 billion times as of 2022, with more than 10 million deployments occurring daily. During a research investigation related to an undisclosed vulnerability within a cloud service, Tenable stumbled upon what they dubbed as “Linguistic Lumberjack.”
Researchers discovered that by accessing various metrics and logging endpoints within a cloud service, they could potentially leak cross-tenant information. Further exploration in an isolated environment resulted in the identification of the memory corruption issue linked to Fluent Bit. Specifically, flaws in the monitoring API allowed unauthorized users to retrieve information about configured traces, leading to service crashes and potential data disclosure.
The researchers managed to crash the service and access chunks of adjacent memory during their tests. Additionally, they uncovered partial secrets, indicating the possibility of sensitive data leakage through the vulnerability. Sebree highlighted that exploiting CVE-2024-4323 could facilitate denial of service or information disclosure, although achieving remote code execution would require additional factors such as host architecture and operating system compatibility.
A patch for the vulnerability is now available on Fluent Bit’s GitHub page, prompting Tenable to urge affected organizations to upgrade promptly or enforce restrictions on authorized queries. Sebree advised cloud service users reliant on Fluent Bit to coordinate with their providers to ensure prompt deployment of updates or mitigations.
Tenable promptly notified Microsoft, Amazon, and Google about the vulnerability on May 15 to initiate their internal evaluation processes. Despite outreach for additional comments, TechTarget Editorial did not receive responses from the cloud providers at the time of publication.
The discovery of the “Linguistic Lumberjack” vulnerability underscores the importance of consistent monitoring and patching for software vulnerabilities, especially in critical components like Fluent Bit that are widely used across cloud infrastructure. Organizations are urged to stay vigilant and proactive in addressing security threats to safeguard their systems and data.