Notice of Fluent Bit Memory Corruption Vulnerability (CVE-2024-4323)
Fluent Bit is a powerful, flexible, and user-friendly tool for processing and forwarding logs. It can be used with applications and systems of all sizes and types, including Linux, Windows, embedded Linux, and macOS. Fluent Bit is a widely used logging tool among cloud providers and enterprises, with over 13 billion downloads and deployments to date.
Vulnerability Details
Type |
CVE-ID |
Severity |
Discovered |
---|---|---|---|
Buffer overflow |
Critical |
2024-05-20 |
Impact
Fluent Bit 2.0.7 to 3.0.3 have a heap buffer overflow vulnerability in the embedded HTTP server's parsing of trace requests. The vulnerability arises from the incorrect verification of the data type of input_name during the parsing of incoming requests for the /api/v1/traces endpoint. This allows non-string values, including integer values, to be transferred in the inputs array of requests, which can lead to memory corruption. Attackers can exploit this vulnerability to cause a denial of service, information leakage, or remote code execution.
This vulnerability is involved when the Cloud Native Log Collection add-on earlier than v1.7.0 is installed in the CCE Autopilot cluster.
Identification Method
- Go to the Add-ons page and check if the Cloud Native Log Collection add-in has been installed.
Figure 1 Viewing the installed add-on version
- In the Cloud Native Log Collection add-on details, view the add-on version. If the add-on version is earlier than v1.7.0, this vulnerability is involved.
Figure 2 Add-on details
Solution
This vulnerability has been fixed for the Cloud Native Log Collection add-on in the CCE Autopilot cluster. Upgrade the add-on to the version where the vulnerability has been fixed.
Fixed add-on version: v1.7.0 or later
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot