Critical bug discovered in open source utility Fluent Bit

Tenable on Monday disclosed "Linguistic Lumberjack," a critical memory corruption vulnerability in Fluent Bit, a popular open source logging utility used by many major cloud vendors.

The bug, tracked as CVE-2024-4323, is a memory corruption vulnerability present in Fluent Bit versions 2.0.7 through 3.0.3. The flaw is caused by a validation issue with the software's embedded HTTP server, which can result in denial-of-service attacks, information disclosure or remote code execution. Tenable senior staff research engineer Jimi Sebree said in a blog post that the cybersecurity vendor reported the flaw to project maintainers on April 30, and that fixes committed on May 15 are expected to be present in Fluent Bit version 3.0.4.

Sebree noted that Fluent Bit is used by many major cloud providers, and that it "boasts upwards of 3 billion downloads as of 2022 and continues to see more than 10 million deployments each day." He wrote that Tenable was researching an undisclosed vulnerability connected to an unnamed cloud service when it stumbled into Linguistic Lumberjack.

"Tenable researchers discovered that they were able to access a variety of metrics and logging endpoints internal to the cloud service itself. Among these endpoints were a number of Fluent Bit instances," Sebree wrote. "Access to these endpoints alone could result in cross-tenant information leakage, but after testing Fluent Bit in a separate, isolated environment, the researchers happened upon the memory corruption issue detailed here."

Sebree said Fluent Bit's monitoring API is designed to allow users to query and monitor internal service-related information such as service uptime and health checks. However, two of the API endpoints -- /api/v1/traces and /api/v1/trace -- allow users to obtain information about configured traces. Tenable researchers found that anyone with access to the API endpoints could query it, regardless of whether the traces were configured.

"In their lab environment, the researchers were able to reliably exploit this issue to crash the service and cause a denial of service scenario," Sebree wrote. "They were also able to retrieve chunks of adjacent memory, which are returned in the HTTP responses."

In addition, researchers were able to retrieve "partial secrets" during the testing, which indicated that CVE-2024-4323 could be exploited to leak sensitive data.

In an email, Sebree told TechTarget Editorial that anyone with access to a vulnerable endpoint "could easily initiate a denial of service or information disclosure." However, "remote code execution depends on many other factors outside of the Fluent Bit application, such as host architecture and operating system, making this more difficult to achieve," he said.

A fix is currently available via the project's GitHub page. Tenable advised organizations vulnerable to the Fluent Bit flaw to upgrade immediately or configure their environments appropriately to limit queries to authorized users and services. Moreover, Sebree said in the blog post, "If you rely on cloud services that are known to make use of Fluent Bit, we recommend reaching out to your cloud provider to ensure that updates or mitigations are deployed in a timely manner."

Tenable notified Microsoft, Amazon and Google of the issue on May 15 "so that they could begin their internal triage processes," the blog post said.

TechTarget Editorial contacted all three cloud providers for additional comment, but the companies did not respond at press time.

Alexander Culafi is a senior information security news writer and podcast host for TechTarget Editorial.