Security researchers at Ebryx discovered two security flaws impacting Fluent Bit. Tracked as CVE-2024-50608 & CVE-2024-50609, the vulnerabilities may allow a remote unauthenticated attacker to crash Fluent Bit and cause Denial of Service.
Fluent Bit is an open-source tool that collects, processes, and exports telemetry data like logs, traces, and metrics. It can run on edge devices and is designed to be lightweight and multi-threaded. Fluent Bit collects data from various environments, from constrained systems to complex cloud infrastructures.
Security researchers released a blog post describing the vulnerabilities and details of the exploitation. The vulnerabilities originate from a null pointer dereference that impacts the Prometheus Remote Write input plugin and Open Telemetry Plugin.
The blog describes, “an attacker can send a packet with Content-Length: 0, causing the server to crash. The improper handling of the Content-Length value being zero allows any user with access to the endpoint to execute a remote denial of service attack. The crash happens due to a NULL pointer dereference when 0 (from the Content-Length) is passed to the function cfl_sds_len, which attempts to cast a NULL pointer into a struct cfl_sds. Before diving into the specifics of the vulnerabilities, let’s first explore the internal workings of the target systems and the approach we took during our assessment.”
Affected Versions
The vulnerabilities affect Fluent Bit version 3.1.9.
Mitigation
Customers are advised to upgrade to Fluent Bit version 3.2.6 or later to patch the vulnerabilities.
For more information, please refer to the Fluent Bit Security Advisory.
Qualys Detection
Qualys customers can scan their devices with QID 732274 to detect vulnerable assets.
Please continue to follow Qualys Threat Protection for more coverage of the latest vulnerabilities.
References
https://fluentbit.io/announcements/
https://www.ebryx.com/blogs/exploring-cve-2024-50608-and-cve-2024-50609
