Critical Vulnerability in Fluent Bit Affects Major Cloud Providers

May 20, 2024

A severe security flaw has been discovered in Fluent Bit, a popular logging and metrics solution used across various operating systems including Windows, Linux, and macOS. This software is embedded in several Kubernetes distributions provided by major cloud providers such as Amazon AWS, Google GCP, and Microsoft Azure. By March 2024, Fluent Bit had been downloaded and deployed over 13 billion times, showing a significant increase from the three billion downloads reported in October 2022. The software is also employed by cybersecurity companies like Crowdstrike and Trend Micro, as well as tech giants including Cisco, VMware, Intel, Adobe, and Dell.

The vulnerability, identified as CVE-2024-4323 and named 'Linguistic Lumberjack' by the security researchers from Tenable who discovered it, is a critical memory corruption issue. It originated with version 2.0.7 of Fluent Bit and is the result of a heap buffer overflows weakness in the software's embedded HTTP server's parsing of trace requests.

This security flaw can be exploited by unauthenticated attackers to initiate denial-of-service attacks or capture sensitive information remotely. In certain circumstances, and with enough time, it could also be used to gain remote code execution. Tenable highlighted the challenge of exploiting this flaw, stating, 'While heap buffer overflows such as this are known to be exploitable, creating a reliable exploit is not only difficult, but incredibly time intensive.' The researchers emphasized that the primary risks are related to the ease with which denial-of-service and information leaks can be achieved.

Tenable informed the vendor about the security bug on April 30, and fixes were committed to Fluent Bit's main branch on May 15. The official releases containing this patch are expected to be included in Fluent Bit 3.0.4. Tenable also alerted Microsoft, Amazon, and Google about this critical security bug on May 15 through their vulnerability disclosure platforms.

Until patches are available for all affected platforms, customers who have deployed this logging utility on their infrastructure can reduce the risk by restricting access to Fluent Bit's monitoring API to authorized users and services. Additionally, this vulnerable API endpoint can be disabled if it's not in use to ensure potential attacks are blocked and the attack surface is minimized.

Latest News

Like what you see?

Get a digest of headlines, vulnerabilities, risk context, and more delivered to your inbox.

Subscribe Below

By submitting this form, you’re giving us permission to email you. You may unsubscribe at any time.

Accelerate Security Teams

Continuously identify and prioritize the risks that are most critical in your environment, and validate that your remediation efforts are reducing risk. An always-on single source-of-truth of your assets, services, and vulnerabilities.