Security researchers have warned of another critical software supply chain vulnerability – this time affecting a popular logging utility with 13 billion downloads.
Tenable claimed that a memory corruption vulnerability (CVE-2024-4323) in Fluent Bit’s HTTP server could potentially result in denial of service (DoS), information leakage and remote code execution (RCE).
It named the bug “Linguistic Lumberjack,” warning that it is heavily used in “almost every major cloud provider’s infrastructure.”
“While investigating a security flaw in a cloud service (details of which are still pending public disclosure), Tenable researchers discovered that they were able to access a variety of metrics and logging endpoints internal to the cloud service itself,” Tenable explained in a blog post.
“Among these endpoints were a number of Fluent Bit instances. Access to these endpoints alone could result in cross-tenant information leakage, but after testing Fluent Bit in a separate, isolated environment, the researchers happened upon the memory corruption issue detailed here.”
Read more on open source vulnerabilities: Impact of Log4Shell Bug Was Overblown, Say Researchers
Fluent Bit is a lightweight data collector and processor used as a logging and metrics tool by AWS, Google GCP, Microsoft Azure and several cybersecurity vendors including Trend Micro, CrowdStrike and Splunk. Other big-name brands such as Cisco, Walmart, LinkedIn, Intel and Adobe are also users.
Tenable researchers were able to cause a variety of memory corruption issues by exploiting the vulnerability.
“In their lab environment, the researchers were able to reliably exploit this issue to crash the service and cause a denial-of-service scenario,” the vendor explained.
“They were also able to retrieve chunks of adjacent memory, which are returned in the HTTP responses. While this is generally unlikely to reveal anything other than previous metrics requests, the researchers were able to occasionally retrieve partial secrets during their testing, indicating that this issue could potentially leak sensitive information.”
RCE exploitation is dependent on various factors such as host architecture and OS, and exploitation is more difficult and time-consuming – making the DoS and info-leak scenarios the highest risk ones at present, Tenable added.
Fixes and Mitigations
Linguistic Lumberjack is fixed in the main source branch and is expected in release 3.0.4. Linux packages are available here.
“At the time of this writing, a general announcement has not been made on the Fluent Bit website and a formal release has not been generated by the maintainers despite the information regarding the vulnerability being committed to the public repository,” Tenable explained.
“If deployed in your own infrastructure and environments, it is recommended to upgrade to the latest version as soon as possible. If upgrading is not possible, it is recommended to review any applicable configurations in your environment that allow access to Fluent Bit’s monitoring API to ensure that only authorized users and services are able to query it. If unused, be sure to disable this endpoint.”
Concerned security teams are also urged to reach out to their cloud provider to ensure updates or mitigations are being deployed. Microsoft, Google and AWS were notified by Tenable on May 15.