Security researchers at Tenable have discovered a potentially critical memory corruption vulnerability in Fluent Bit, a core component in the monitoring infrastructure of many cloud services.
The vulnerability, dubbed Linguistic Lumberjack and tracked as CVE-2024-4323, stems from coding flaws within Fluent Bit’s built-in HTTP server. Left unresolved the vulnerability could lead to denial of service, information disclosure, or (in the most severe but unlikely case) remote code execution attacks.
Fluent Bit versions 2.0.7 through 3.0.3 are all vulnerable. Fluent Bit version 3.0.4 closes this vulnerability and its associated threats, according to the component’s developers.
Fluent Bit
Fluent Bit is an open-source data collector and processor that can parse log data from various sources. Its scalability makes it suitable for cloud-based environments.
Listed users include AWS, Microsoft Azure and Google Cloud. All three hyperscalers rely heavily on the technology, according to Tenable.
The technology also features in monitoring applications from Cisco, Splunk and others. Other software developers also make use of Fluent Bit, which recorded 3 billion downloads as of 2022 and continues to be deployed more than 10 million times per day.
Tenable reported the issue to the project’s maintainers on April 30, and they responded by developing a patched version of the technology, Fluent Bit 3.0.4, released May 21.
Fluent Bit’s developers urged technology providers to update “immediately to keep your systems stable and secure” in a statement on their website.
Vulnerabilities in cloud-based systems are normally patched promptly and without user intervention. CSOonline approached hyperscaler cloud providers for comment, with one responding that it had not been impacted by the issue and criticising Tenable’s research as somewhat sensationalised.
Other technology providers that make use of the log monitoring tool have the vulnerability in hand.
CrowdStrike, for example, said it had updated to the patched version of Fluent Bit within its environment, and there was no direct impact to customers running the patched version of Fluent Bit.
However, it warned, “Customers using the LogScale Kubernetes Logging package should redeploy and update to the patched version of Fluent Bit immediately. We further recommend that customers running their own instances of Fluent Bit verify their versions and apply the necessary updates to mitigate any potential risks.”
CSOonline also approached firms that offer enterprise services for Fluent Bit (Calyptia, Fluentd and Clear Code) asking what advice they had for their customers, although none of them immediately responded.
Learning experience
In a technical blog post, Tenable explained how it came across the vulnerability while investigating a separate (as yet undisclosed) flaw in an (unnamed) cloud service, after realising it was able to access a variety of metrics and logging endpoints internal to the cloud service itself, including a number of Fluent Bit instances.
Further testing of Fluent Bit in an isolated environment led to the discovery of the memory corruption issue.
More specifically, the embedded http server within Fluent Bit was vulnerable because it failed to sanitize trace requests.
This set up a mechanism for attackers to pass unexpected or invalid input to either crash a system or to use memory corruption to expose secret information. A remote code execution attack might also be possible, as least in theory.
Both the developers and Tenable stress that such an attack would be highly dependent on architecture, host OS, and other environmental factors and otherwise difficult to pull off successfully.
Fluent Bit’s developers are treating the whole episode as a learning experience.
“Even though nobody’s excited to receive a critical security notice right before they step out to lunch, this issue still provided us with a helpful nudge to assess our vulnerability prevention practices within the Fluent Bit project,” they wrote. “For example, it was a reminder that some measures we already have in place, like our participation in the Google OSS-Fuzz program, are in place for a reason. It also gave us a chance to strengthen other aspects of our incident response and ensure that they’re maximally effective for the future of Fluent Bit.”