THE THREAT
On May 20th, Tenable Research disclosed a critical memory corruption vulnerability in Fluent Bit dubbed “Linguistic Lumberjack.” Tracked as CVE-2024-4323 (CVSS: 9.8), this vulnerability impacts Fluent Bit versions 2.0.7 thru 3.0.3. This issue lies in the embedded HTTP server’s parsing of trace requests and may result in Denial-of-Service (DoS), information disclosure, or Remote Code Execution (RCE). Tenable included Proof-of-Concept (PoC) exploit code for the Denial-of-Service attack in their release.
Real world exploitation of CVE-2024-4323 has not been identified at this time. Due to the release of PoC exploit code and the prevalence of Fluent Bit, the eSentire Threat Intelligence team assesses that exploitation in the near future is probable. As such, organizations using Fluent Bit are strongly recommended to perform remediation actions as soon as possible.
What we’re doing about it
- eSentire Managed Vulnerability Service (MVS) has plugins in place to identify this vulnerability
- eSentire’s Threat Response Unit (TRU) is actively tracking this vulnerability for additional details and detection opportunities
What you should do about it
- Organizations using Fluent Bit need to apply relevant security patches after performing a business impact review
- If immediate patching is not feasible
- Thoroughly review any relevant configurations allowing access to Fluent Bit's monitoring API
- Ensure that only authorized users and services have access to query this API
- If the endpoint is not being utilized, consider disabling it entirely
- Verify cloud vendors are not impacted, or have remediated the vulnerability
Additional information
Fluent Bit is a lightweight, open-source data collector and processor known for its ability to efficiently handle large amounts of log data from diverse sources. Engineered for scalability and ease of use, it has become a common solution for collecting and processing logs in cloud-based environments. With more than 10 million daily deployments, Fluent Bit is deeply integrated into the infrastructure of nearly every major cloud provider including Amazon, Google, and Microsoft.
The Fluent Bit monitoring API allows users to query and monitor internal service information, such as uptime and plugin metrics. However, insufficient validation of data types in the "inputs" array of requests to the /api/v1/traces endpoint led to memory corruption issues. Passing non-string values, such as integers, could trigger crashes, heap overwrites, memory disclosure, and even remote code execution possibilities under certain environmental conditions.
At the time of writing, Fluent Bit has not made a formal announcement and the project maintainers have not yet generated an official release despite the vulnerability information being publicly available in the repository. Updated Linux packages can be found here.
References:
[1] https://www.tenable.com/blog/linguistic-lumberjack-attacking-cloud-services-via-logging-endpoints-fluent-bit-cve-2024-4323
[2] https://www.tenable.com/security/research/tra-2024-17
[3] https://www.tenable.com/cve/CVE-2024-4323
[4] https://github.com/fluent/fluent-bit/commit/9311b43a258352797af40749ab31a63c32acfd04
[5] https://github.com/fluent/fluent-bit/actions/runs/9097880110
