The open source Fluent Bit project has identified vulnerability (CVE-2024-4323) that allows you to remotely cause memory corruption, which can be used to cause denial of service, data leakage, and potentially execute your code on the server. The problem, which is codenamed "Linguistic Lumberjack", has a critical hazard level (9.8 out of 10). The vulnerability has been present since version 2.0.7 and was fixed in corrective updates 2.2.3 and 3.0.4.
Fluent Bit has more than 10 billion implementations and is used for processing and collecting logs and metrics in many companies and cloud platforms, for example, users include Google Cloud, AWS, DigitalOcean, VMware, Cisco, Microsoft, Lyft, LinkedIn, Walmart, Couchbase, Swift and Dell. During March, 13 million Docker images with Fluent Bit were uploaded. According to the company Tenable, which identified the vulnerabilities, many cloud services do not block access to the Web API for obtaining internal metrics, such as uptime, and Fluent Bit is used to process requests to such APIs.
The vulnerability is caused by an error in the built-in HTTP server that occurs when processing external requests via the API calls " /api/v1/traces "and" /api/v1/trace", which allow users to get information about configured traces. Regardless of whether tracing is enabled, the user can access the API data if they are granted the appropriate access. When parsing incoming requests, the types of some input fields passed through the array in the JSON block were determined incorrectly and regardless of the expected field type, they were interpreted as the MSGPACK_OBJECT_STR type. Specifying non-string values in the input data array, such as integer parameters, caused memory corruption because the flb_sds_create_len() function retrieved the passed integer value as a field with the string size.
Example of a request that causes a crash:
In the course of experiments, the researchers managed to achieve an emergency termination of the service and determine the remaining contents of the memory used for processing HTTP requests and containing, for example, fragments of confidential data, such as access keys. Since the problem leads to a buffer overflow that depends on the passed parameters, it can theoretically be exploited to execute its code in the system, but the researchers who identified the problem did not check this possibility due to lack of time to work on the exploit.
Fluent Bit has more than 10 billion implementations and is used for processing and collecting logs and metrics in many companies and cloud platforms, for example, users include Google Cloud, AWS, DigitalOcean, VMware, Cisco, Microsoft, Lyft, LinkedIn, Walmart, Couchbase, Swift and Dell. During March, 13 million Docker images with Fluent Bit were uploaded. According to the company Tenable, which identified the vulnerabilities, many cloud services do not block access to the Web API for obtaining internal metrics, such as uptime, and Fluent Bit is used to process requests to such APIs.
The vulnerability is caused by an error in the built-in HTTP server that occurs when processing external requests via the API calls " /api/v1/traces "and" /api/v1/trace", which allow users to get information about configured traces. Regardless of whether tracing is enabled, the user can access the API data if they are granted the appropriate access. When parsing incoming requests, the types of some input fields passed through the array in the JSON block were determined incorrectly and regardless of the expected field type, they were interpreted as the MSGPACK_OBJECT_STR type. Specifying non-string values in the input data array, such as integer parameters, caused memory corruption because the flb_sds_create_len() function retrieved the passed integer value as a field with the string size.
Example of a request that causes a crash:
Code:
python3 -c 'print("{\"output\":\"stdout\", \"params\": {\"format\": \"json\"},\"inputs\":[\"" + "A"*8 + "\"," + str(0xffffffff) + ", \"" + "B"*500 + "\"]}")' > test
curl -v http://:2020/api/v1/traces/ -H "Content-Type: application/json" -H "Expect: " --data "@test"In the course of experiments, the researchers managed to achieve an emergency termination of the service and determine the remaining contents of the memory used for processing HTTP requests and containing, for example, fragments of confidential data, such as access keys. Since the problem leads to a buffer overflow that depends on the passed parameters, it can theoretically be exploited to execute its code in the system, but the researchers who identified the problem did not check this possibility due to lack of time to work on the exploit.
