Cybersecurity researchers have discovered a critical security flaw in a popular logging and metrics utility called Fluent Bit that could be exploited to achieve denial-of-service (DoS), information disclosure, or remote code execution.
The vulnerability, tracked as CVE-2024-4323, has been codenamed Linguistic Lumberjack by Tenable Research. It impacts versions from 2.0.7 through 3.0.3, with fixes available in version 3.0.4.
The issue relates to a case of memory corruption in Fluent Bit's built-in HTTP server that could allow for DoS, information leakage, or remote code execution.
Specifically, it relates to sending maliciously crafted requests to the monitoring API through endpoints such as /api/v1/traces and /api/v1/trace.
"Regardless of whether or not any traces are configured, it is still possible for any user with access to this API endpoint to query it," security researcher Jimi Sebree said.
"During the parsing of incoming requests for the /api/v1/traces endpoint, the data types of input names are not properly validated before being parsed."
By default, the data types are assumed to be strings (i.e., MSGPACK_OBJECT_STR), which a threat actor could exploit by passing non-string values, leading to memory corruption.
Tenable said it was able to reliably exploit the issue to crash the service and cause a DoS condition. Remote code execution, on the other hand, is dependent on a variety of environmental factors such as host architecture and operating system.
Users are recommended to update to the latest version to mitigate potential security threats, especially given that a proof-of-concept (PoC) exploit has been made available for the flaw.
