A critical security vulnerability(CVE-2024-4323) referred to as “Linguistic Lumberjack,” has been found within Fluent Bit, a widely-used logging and metrics tracking utility employed within major cloud infrastructure services.
Fluent Bit is an open-source, lightweight data collector and processor service designed to handle large volumes of log data from various sources on Windows, Linux, and macOS operating systems. Its scalability and ease of use make it a preferred choice for usage in cloud environments and sees at least 10 million daily deployments.
The Linguistic Lumberjack vulnerability could potentially enable attackers to execute Denial of Service (DoS) attacks, disclose sensitive information, or even gain remote code execution (RCE) capabilities.
Linguistic Lumberjack Vulnerability
The Linguistic Lumberjack vulnerability stems from a heap buffer overflow flaw in Fluent Bit’s built-in HTTP server, particularly in how it handles the /api/v1/traces endpoint. This endpoint enables administrators to configure how FluentBit handles its tracing and monitoring operations.
However, due to a lack of proper validation of input types, sending non-string values (such as integers) in the “inputs” array of a request can lead to memory corruption. The code incorrectly assumes these values to be valid MSGPACK_OBJECT_STRs.
Through the intentional passing of integer values in the “inputs” array field, an attacker can trigger various memory corruption issues, including heap buffer overflows and crashes due to attempts to write to protected memory regions.
In a controlled environment, Tenable researchers successfully exploited the vulnerability to trigger service crashes (DoS) and the leak of adjacent memory contents, which could potentially include sensitive information in a real-life scenario. Under specific environmental factors, attackers could even exploit the vulnerability to cause denial-of-service conditions or remote code execution.
The Fluent Bit utility service is deeply integrated into major Kubernetes distributions from Amazon AWS, Google GCP, and Microsoft Azure. Beyond cloud providers, Fluent Bit is also relied upon by several major tech companies including Cisco, VMware, Intel, Adobe, and Dell. The utility is also known to be used by several major cybersecurity companies.
Mitigation and Remediation
The critical memory corruption vulnerability was introduced in version 2.0.7 of Fluent Bit and exists up to version 3.0.3 of the software released on April 27th 2024. The issue has been fixed in the main source branch of Fluent Bit, with the fix expected to be included in the release of the upcoming version 3.0.4 of the software. For Linux, packages containing the fix are already available for download.
For users unable to upgrade immediately, the researchers have recommended a review of existing access to Fluent Bit’s monitoring API while restricting access to authorized users and services only, and to disable the endpoint if it is not in use.
For organizations relying on cloud services known to utilize Fluent Bit, reaching out to the cloud provider to ensure timely updates or mitigations is advised. The researchers have notified the bug’s existence to major cloud providers on May 15, 2024, to allow them to initiate their own internal responses.
Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.
