Researchers have identified a significant memory corruption vulnerability in Fluent Bit, a widely used cloud logging utility, potentially affecting major cloud platforms. The vulnerability, discovered by Tenable, has been dubbed “Linguistic Lumberjack” and poses serious risks including denial of service (DoS), data leakage, and remote code execution (RCE).
Fluent Bit, an open-source tool for collecting, processing, and forwarding logs, boasts over 3 billion downloads as of 2022 and continues to see about 10 million new deployments daily. It is a critical component for many major organizations like VMware, Cisco, Adobe, Walmart, and LinkedIn, and is integrated into services from cloud giants such as AWS, Microsoft, and Google Cloud.
The vulnerability stems from Fluent Bit’s embedded HTTP server, which improperly parses trace requests on its monitoring API. This flaw allows attackers to manipulate data inputs, causing memory corruption. The issue is severe enough to potentially crash the service or expose sensitive data across different cloud tenants.
Jimi Sebree, a senior staff research engineer with Tenable, highlighted the broader implications of such vulnerabilities, stating that while attention often focuses on Azure, AWS, or GCP, it’s essential to scrutinize the foundational technologies that support these cloud services.
The discovery was made while Tenable researchers were investigating another security issue within a cloud service. They found that the endpoint /api/v1/traces did not validate input types correctly, leading to memory corruption when non-string values were processed.
Versions of Fluent Bit from 2.0.7 to 3.0.3 are affected by this vulnerability, tracked as CVE-2024-4323. It carries a critical CVSS score of over 9.5. The Fluent Bit maintainers responded quickly, releasing a fix on May 15 to address the input validation issue.
Organizations using Fluent Bit are urged to update to the latest version immediately. Alternatively, administrators should restrict access to Fluent Bit’s monitoring API to prevent unauthorized queries, ensuring better protection against potential exploits.
