Critical Vulnerability in Fluent Bit Affects Major Cloud Providers

May 20, 2024

A severe security flaw has been discovered in Fluent Bit, a popular logging and metrics solution used across various operating systems including Windows, Linux, and macOS. This software is embedded in several Kubernetes distributions provided by major cloud providers such as Amazon AWS, Google GCP, and Microsoft Azure. By March 2024, Fluent Bit had been downloaded and deployed over 13 billion times, showing a significant increase from the three billion downloads reported in October 2022. The software is also employed by cybersecurity companies like Crowdstrike and Trend Micro, as well as tech giants including Cisco, VMware, Intel, Adobe, and Dell.

The vulnerability, identified as CVE-2024-4323 and named 'Linguistic Lumberjack' by the security researchers from Tenable who discovered it, is a critical memory corruption issue. It originated with version 2.0.7 of Fluent Bit and is the result of a heap buffer overflows weakness in the software's embedded HTTP server's parsing of trace requests.

This security flaw can be exploited by unauthenticated attackers to initiate denial-of-service attacks or capture sensitive information remotely. In certain circumstances, and with enough time, it could also be used to gain remote code execution. Tenable highlighted the challenge of exploiting this flaw, stating, 'While heap buffer overflows such as this are known to be exploitable, creating a reliable exploit is not only difficult, but incredibly time intensive.' The researchers emphasized that the primary risks are related to the ease with which denial-of-service and information leaks can be achieved.

Tenable informed the vendor about the security bug on April 30, and fixes were committed to Fluent Bit's main branch on May 15. The official releases containing this patch are expected to be included in Fluent Bit 3.0.4. Tenable also alerted Microsoft, Amazon, and Google about this critical security bug on May 15 through their vulnerability disclosure platforms.

Until patches are available for all affected platforms, customers who have deployed this logging utility on their infrastructure can reduce the risk by restricting access to Fluent Bit's monitoring API to authorized users and services. Additionally, this vulnerable API endpoint can be disabled if it's not in use to ensure potential attacks are blocked and the attack surface is minimized.

Latest News

• Public RCE Exploit Revealed for Unpatched QNAP QTS Zero-Day
• PoC Exploit Surfaces for Google Chrome Zero-Day Vulnerability CVE-2024-4947
• Microsoft Yet to Address Seven Zero-Days Vulnerabilities Uncovered in Pwn2Own 2024
• CISA Includes Chrome Zero-Days in its Known Exploited Vulnerabilities Catalog
• Asian Cyber Threats Evolve: New Strategies Target Familiar Sectors