Fluent Bit logo

“Linguistic Lumberjack” vulnerability impacts all major cloud providers

Researchers have discovered a severe memory corruption vulnerability in Fluent Bit, a utility used by major cloud providers.

At times, you may read about a vulnerability in a product that means nothing to you. But in some cases, it indirectly impacts you anyway, even if you’ve never heard of it.

To that tune, researchers have discovered a critical memory corruption vulnerability in Fluent Bit and named it Linguistic Lumberjack.

Fluent Bit is a logging and metrics processor and forwarder. It allows users to collect log events or metrics from different sources, process them and delivers them to different backends.

Among its users it touts Google Cloud, Microsoft, DigitalOcean, Cisco, and it comes embedded in major Kubernetes distributions, including those from AWS, GCP, and Azure. To demonstrate how widely it is used: in March 2024 the company celebrated 13 million downloads from DockerHub.

The Common Vulnerabilities and Exposures (CVE) database lists publicly disclosed computer security flaws. The vulnerability found by the researchers is listed as CVE-2024-4323, a memory corruption vulnerability in Fluent Bit’s embedded HTTP server’s parsing of trace requests that could result in denial-of-service (DoS) conditions, information disclosure, or remote code execution (RCE).

Users will either need to upgrade to the latest version or limit access to the vulnerable endpoints. Affected versions are 2.0.7-3.0.3, with fixes available in version 3.0.4. Users upgrading from previous versions must read the Upgrading Notes section of the documentation.

The affected HTTP endpoints are set up to indicate service uptime, plugin metrics, health checks, etc. They allow administrators or other users to query and monitor information about the service itself.

Unfortunately, the data types of input names are not properly validated during the parsing of incoming requests for the /api/v1/traces endpoint before being parsed. By passing non-string values in the inputs array of a request, it is possible to cause a variety of memory corruption issues.

This issue was ultimately fixed by properly validating the data types of values in the “inputs” array sent to the “traces” endpoint.

While the researchers said that the ability to accomplish remote code execution depends very much on a variety of environmental factors and is likely to be very time-consuming, it is very easy to cause denial-of-service interruptions and information leaks, so users are advised to upgrade to the latest version as soon as possible.

If you rely on cloud services that are known to make use of Fluent Bit, we recommend reaching out to your cloud provider to ensure that updates or mitigations are deployed in a timely manner.

We don’t just report on vulnerabilities—we identify them, and prioritize action.

Cybersecurity risks should never spread beyond a headline. Keep vulnerabilities in check by using ThreatDown’s Vulnerability Assessment and Patch Management solutions.