DoS attacks and code execution affect the largest cloud providers and IT giants.
Tenable specialists have identified a critical vulnerability in Fluent Bit that can lead to a DoS attack and remote code execution. The flaw affects all major cloud providers, such as Amazon AWS, Google GCP, and Microsoft Azure, as well as many IT giants.
Fluent Bit is a popular logging and monitoring solution on Windows, Linux, and macOS, built into the main Kubernetes distributions. Until March 2024, Fluent Bit was downloaded and installed more than 13 billion times. This technology is used in cybersecurity by Crowdstrike, Trend Micro, Cisco, VMware, Intel, Adobe, and Dell.
The memory corruption vulnerability CVE-2024-4323 (CVSS score 3.1: 9.8) was discovered by Tenable researchers, who named it Linguistic Lumberjack. The error was caused by a Heap Overflow in the built-in Fluent Bit HTTP server when processing trace requests and first appeared in version 2.0.7.
An unauthenticated attacker can easily take advantage of the vulnerability to cause Denial of Service (DoS) or capture sensitive information. However, under certain conditions and with sufficient time, a hacker can achieve Remote Code Execution (RCE).
Tenable stated that creating a reliable exploit of the heap overflow vulnerability is not only difficult, but also requires a huge amount of time. The main risks are related to the ease of performing DoS attacks and information leaks.
Tenable reported the bug to developers on April 30, and fixes were made to the Fluent Bit mainline on May 15. It is expected that official releases with the fix will appear in version 3.0.4 (packages for Linux are already available). In addition, Tenable notified Microsoft, Amazon, and Google of the critical vulnerability through their vulnerability disclosure platforms on May 15.
Until fixes are available for all affected platforms, users who have deployed Fluent Bit on their infrastructure can mitigate the issue by restricting access to the Fluent Bit monitoring API to authorized users and services only. You can also disable a vulnerable API if it is not used to block potential attacks and reduce the attack surface.
Tenable specialists have identified a critical vulnerability in Fluent Bit that can lead to a DoS attack and remote code execution. The flaw affects all major cloud providers, such as Amazon AWS, Google GCP, and Microsoft Azure, as well as many IT giants.
Fluent Bit is a popular logging and monitoring solution on Windows, Linux, and macOS, built into the main Kubernetes distributions. Until March 2024, Fluent Bit was downloaded and installed more than 13 billion times. This technology is used in cybersecurity by Crowdstrike, Trend Micro, Cisco, VMware, Intel, Adobe, and Dell.
The memory corruption vulnerability CVE-2024-4323 (CVSS score 3.1: 9.8) was discovered by Tenable researchers, who named it Linguistic Lumberjack. The error was caused by a Heap Overflow in the built-in Fluent Bit HTTP server when processing trace requests and first appeared in version 2.0.7.
An unauthenticated attacker can easily take advantage of the vulnerability to cause Denial of Service (DoS) or capture sensitive information. However, under certain conditions and with sufficient time, a hacker can achieve Remote Code Execution (RCE).
Tenable stated that creating a reliable exploit of the heap overflow vulnerability is not only difficult, but also requires a huge amount of time. The main risks are related to the ease of performing DoS attacks and information leaks.
Tenable reported the bug to developers on April 30, and fixes were made to the Fluent Bit mainline on May 15. It is expected that official releases with the fix will appear in version 3.0.4 (packages for Linux are already available). In addition, Tenable notified Microsoft, Amazon, and Google of the critical vulnerability through their vulnerability disclosure platforms on May 15.
Until fixes are available for all affected platforms, users who have deployed Fluent Bit on their infrastructure can mitigate the issue by restricting access to the Fluent Bit monitoring API to authorized users and services only. You can also disable a vulnerable API if it is not used to block potential attacks and reduce the attack surface.
