"Linguistic Lumberjack" Vulnerability Discovered in Popular Logging Utility Fluent Bit
May 21, 2024
Cyber Attack / API Security
Cybersecurity researchers have discovered a critical security flaw in a popular logging and metrics utility called Fluent Bit that could be exploited to achieve denial-of-service (DoS), information disclosure, or remote code execution. The vulnerability, tracked as CVE-2024-4323 , has been codenamed Linguistic Lumberjack by Tenable Research. It impacts versions from 2.0.7 through 3.0.3, with fixes available in version 3.0.4 . The issue relates to a case of memory corruption in Fluent Bit's built-in HTTP server that could allow for DoS, information leakage, or remote code execution. Specifically, it relates to sending maliciously crafted requests to the monitoring API through endpoints such as /api/v1/traces and /api/v1/trace. "Regardless of whether or not any traces are configured, it is still possible for any user with access to this API endpoint to query it," security researcher Jimi Sebree said . "During the parsing of incoming requests for the /api/