A critical Fluent Bit vulnerability that can be exploited in denial-of-service and remote code execution attacks impacts all major cloud providers and many technology giants.
Fluent Bit is an extremely popular logging and metrics solution for Windows, Linux, and macOS embedded in major Kubernetes distributions, including those from Amazon AWS, Google GCP, and Microsoft Azure.
Until March 2024, Fluent Bit was downloaded and deployed over 13 billion times, a massive increase from the three billion downloads reported in October 2022.
Fluent Bit is also used by cybersecurity firms like Crowdstrike and Trend Micro, and many tech companies, such as Cisco, VMware, Intel, Adobe, and Dell.
Tracked as CVE-2024-4323 and dubbed Linguistic Lumberjack by Tenable security researchers who discovered it, this critical memory corruption vulnerability was introduced with version 2.0.7 and is caused by a heap buffer overflows weakness in Fluent Bit’s embedded HTTP server’s parsing of trace requests.
Even though unauthenticated attackers can easily exploit the security flaw to trigger denial-of-service or to capture sensitive information remotely, they could also use it to gain remote code execution if given the right conditions and enough time to create a reliable exploit.
“While heap buffer overflows such as this are known to be exploitable, creating a reliable exploit is not only difficult, but incredibly time intensive,” Tenable said.
“The researchers believe that the most immediate and primary risks are those pertaining to the ease with which DoS and information leaks can be accomplished.”
Patches shipping with Fluent Bit 3.0.4
Tenable reported the security bug to the vendor on April 30, and fixes were committed to Fluent Bit’s main branch on May 15. Official releases containing this patch are expected to ship with Fluent Bit 3.0.4 (Linux packages are available here).
Tenable also notified Microsoft, Amazon, and Google of this critical security bug on May 15 through their vulnerability disclosure platforms.
Until fixes are available for all impacted platforms, customers who have deployed this logging utility on their own infrastructure can mitigate the issue by limiting access to Fluent Bit’s monitoring API to authorized users and services.
You can also disable this vulnerable API endpoint if it’s not being used to ensure that any potential attacks are blocked and the attack surface is removed.
