We’d like to make sure you’re aware of a security vulnerability (known as CVE-2024-4323) that impacts Fluent Bit versions 2.0.7 through 3.0.3. The latest version of Fluent Bit, version 3.0.4, fixes this issue. We’ve also backported fix to Fluent Bit version 2.2.3, the last release of Fluent Bit v2.
The identified vulnerability arose from a memory corruption error that could potentially create conditions for denial of service events, information disclosure, or, with an extremely sophisticated attack, remote code execution. This issue was related to the internal tracing interface and not to traces telemetry data handling.
Tenable, who discovered this issue, has an excellent write-up explaining how the vulnerability works and how they uncovered it. To summarize their findings: certain types of input names in incoming requests were not properly validated before being parsed by the traces API endpoint. A bad actor could exploit this flaw by passing unexpected or invalid inputs to intentionally cause memory corruption, and then use the resulting memory corruption to generate a denial of service attack or (with careful crafting) to expose secret information. It’s also possible that the memory exploit could be used for remote code execution, but such an attack would be highly dependent on architecture, host OS, and other environmental factors—however, since it is possible, NIST has given this vulnerability a CVSS score of 9.8.
Fluent Bit version 3.0.4 closes this vulnerability and its associated threats. We recommend updating immediately to keep your systems stable and secure.
Even though nobody’s excited to receive a critical security notice right before they step out to lunch, this issue still provided us with a helpful nudge to assess our vulnerability prevention practices within the Fluent Bit project. For example, it was a reminder that some measures we already have in place, like our participation in the Google OSS-Fuzz program, are in place for a reason. It also gave us a chance to strengthen other aspects of our incident response and ensure that they’re maximally effective for the future of Fluent Bit.
And, as always, we welcome your continued assistance—our community contributors make Fluent Bit better every day. We’re grateful to be an open-source project where anyone can look at our code, identify problems, and see that they get fixed.