Vulnerability in Fluent Bit impacting several cloud service providers

In an open project Fluent Bit identified vulnerability (CVE-2024-4323), allowing you to remotely cause memory corruption, which can be used to cause a denial of service, leak data, and potentially execute your code on the server. The problem, codenamed “Linguistic Lumberjack”, has a critical severity level (9.8 out of 10). The vulnerability appears starting from version 2.0.7 and eliminated in corrective updates 2.2.3 And 3.0.4.

Fluent Bit totals more than 10 billion deployments and is used to process and collect logs and metrics in many companies and cloud platforms, for example, users include Google Cloud, AWS, DigitalOcean, vmWare, Cisco, Microsoft, Lyft, LinkedIn, Walmart, Couchbase, Swift and Dell. During March, 13 million Docker images were downloaded from Fluent Bit. According to Tenable, which identified the vulnerabilities, many cloud services do not block access to Web APIs to obtain internal metrics such as uptime, and Fluent Bit is used to process calls to such APIs.


The vulnerability is due to a bug in the built-in HTTP server that occurs when processing external requests through the “/api/v1/traces” and “/api/v1/trace” API calls, which allow users to obtain information about configured traces. Regardless of whether tracing is enabled, the user has the ability to access API data if they are granted the appropriate access. During parsing of incoming requests, the types of some input fields passed through an array in a JSON block were incorrectly determined and, regardless of the expected field type, were interpreted as type MSGPACK_OBJECT_STR. Specifying non-string values, such as integer parameters, in the input data array resulted in memory corruption due to the flb_sds_create_len() function retrieving the passed integer value as a string-sized field.

An example of a request that causes an abnormal termination:

 python3 -c 'print("{\"output\":\"stdout\", \"params\": {\"format\": \"json\"},\"inputs\":(\"" + "A"*8 + "\"," + str(0xffffffff) + ", \"" + "B"*500 + "\")}")' > test curl -v -H "Content-Type: application/json" -H "Expect: " --data "@test"

During the experiments, the researchers were able to crash the service and determine the residual contents of the memory used when processing HTTP requests and containing, for example, fragments of confidential data such as access keys. Since the problem leads to a buffer overflow depending on the passed parameters, it could theoretically be exploited to execute code on the system, but the researchers who identified the problem did not test this possibility due to the lack of time to work on the exploit.

Thanks for reading: