CVE-2022-39379
published 2022-11-02CVE-2022-39379: Fluentd collects events from various data sources and writes them to files, RDBMS, NoSQL, IaaS, SaaS, Hadoop and so on. A remote code execution (RCE)…
PriorityP277critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
44.71%
98.6th percentile
Fluentd collects events from various data sources and writes them to files, RDBMS, NoSQL, IaaS, SaaS, Hadoop and so on. A remote code execution (RCE) vulnerability in non-default configurations of Fluentd allows unauthenticated attackers to execute arbitrary code via specially crafted JSON payloads. Fluentd setups are only affected if the environment variable `FLUENT_OJ_OPTION_MODE` is explicitly set to `object`. Please note: The option FLUENT_OJ_OPTION_MODE was introduced in Fluentd version 1.13.2. Earlier versions of Fluentd are not affected by this vulnerability. This issue was patched in version 1.15.3. As a workaround do not use `FLUENT_OJ_OPTION_MODE=object`.
Affected
5 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| fedoraproject | fedora | — | — |
| fluent | fluentd | — | — |
| fluentd | fluentd | >= 1.13.2 < 1.15.3 | 1.15.3 |
| fluentd | fluentd | >= 1.13.2 < 1.15.3 | 1.15.3 |
| msrc | cbl2_rubygem-fluentd_1.14.6-2_on_cbl_mariner_2.0 | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Fluentd RCE is only triggerable when the environment variable FLUENT_OJ_OPTION_MODE is explicitly set to 'object'; scan deployments for this non-default configuration as a prerequisite indicator of exploitability. ↗
- →The attack vector is unauthenticated, inbound, specially crafted JSON payloads — monitor Fluentd input endpoints for anomalous or oversized JSON with embedded object/class instantiation constructs (Oj object mode deserialization gadgets). ↗
- →Only Fluentd versions 1.13.2 through 1.15.2 are affected (FLUENT_OJ_OPTION_MODE was introduced in 1.13.2); versions below 1.13.2 are not vulnerable — use version fingerprinting to scope affected assets. ↗
- ·Vulnerability is only present in non-default configurations where FLUENT_OJ_OPTION_MODE=object is explicitly set; default Fluentd deployments are NOT affected. ↗
- ·Red Hat's openshift-logging/fluentd-rhel8 (Logging Subsystem for Red Hat OpenShift) is confirmed Not Affected. ↗
- ·Workaround: do not set FLUENT_OJ_OPTION_MODE=object in any Fluentd deployment environment. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vendor_msrc9.8CRITICAL
vendor_redhat3.1LOW
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
fluentd vulnerable to remote code execution due to insecure deserialization (in non-default configuration)
osv·2022-11-02
CVE-2022-39379 [LOW] fluentd vulnerable to remote code execution due to insecure deserialization (in non-default configuration)
fluentd vulnerable to remote code execution due to insecure deserialization (in non-default configuration)
### Impact
A remote code execution (RCE) vulnerability in non-default configurations of Fluentd allows unauthenticated attackers to execute arbitrary code via specially crafted JSON payloads.
Fluentd setups are only affected if the environment variable `FLUENT_OJ_OPTION_MODE` is explicitly set to `object`.
Please note: The option FLUENT_OJ_OPTION_MODE was introduced in Fluentd version 1.13.2. Earlier versions of Fluentd are not affected by this vulnerability.
### Patches
v1.15.3
### Workarounds
Do not use `FLUENT_OJ_OPTION_MODE=object`.
### References
* GHSL-2022-067
GHSA
fluentd vulnerable to remote code execution due to insecure deserialization (in non-default configuration)
ghsa·2022-11-02
CVE-2022-39379 [LOW] CWE-502 fluentd vulnerable to remote code execution due to insecure deserialization (in non-default configuration)
fluentd vulnerable to remote code execution due to insecure deserialization (in non-default configuration)
### Impact
A remote code execution (RCE) vulnerability in non-default configurations of Fluentd allows unauthenticated attackers to execute arbitrary code via specially crafted JSON payloads.
Fluentd setups are only affected if the environment variable `FLUENT_OJ_OPTION_MODE` is explicitly set to `object`.
Please note: The option FLUENT_OJ_OPTION_MODE was introduced in Fluentd version 1.13.2. Earlier versions of Fluentd are not affected by this vulnerability.
### Patches
v1.15.3
### Workarounds
Do not use `FLUENT_OJ_OPTION_MODE=object`.
### References
* GHSL-2022-067
Microsoft
Fluentd vulnerable to remote code execution due to insecure deserialization (in non-default configuration)
vendor_msrc·2022-11-08·CVSS 9.8
CVE-2022-39379 [LOW] CWE-502 Fluentd vulnerable to remote code execution due to insecure deserialization (in non-default configuration)
Fluentd vulnerable to remote code execution due to insecure deserialization (in non-default configuration)
FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability?
One of the main benefits to our customers who choose to use the Azure Linux distro is the commitment to keep it up to date with the most recent and most secure versions of the open source libraries with which the distro is composed. Microsoft is committed to transparency in this work which is why we began publishing CSAF/VEX in October 2025. See this blog post for more information. If impact to additional products is identified, we will update the CVE to reflect this.
Mariner: Mariner
GitHub_M: GitHub_M
Customer Action Required: Yes
Re
Red Hat
fluentd: remote code execution via crafted JSON payloads
vendor_redhat·2022-11-02·CVSS 3.1
CVE-2022-39379 [LOW] CWE-502 fluentd: remote code execution via crafted JSON payloads
fluentd: remote code execution via crafted JSON payloads
Fluentd collects events from various data sources and writes them to files, RDBMS, NoSQL, IaaS, SaaS, Hadoop and so on. A remote code execution (RCE) vulnerability in non-default configurations of Fluentd allows unauthenticated attackers to execute arbitrary code via specially crafted JSON payloads. Fluentd setups are only affected if the environment variable `FLUENT_OJ_OPTION_MODE` is explicitly set to `object`. Please note: The option FLUENT_OJ_OPTION_MODE was introduced in Fluentd version 1.13.2. Earlier versions of Fluentd are not affected by this vulnerability. This issue was patched in version 1.15.3. As a workaround do not use `FLUENT_OJ_OPTION_MODE=object`.
A remote code execution (RCE) vulnerability was found in non-defaul
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://github.com/fluent/fluentd/commit/48e5b85dab1b6d4c273090d538fc11b3f2fd8135https://github.com/fluent/fluentd/security/advisories/GHSA-fppq-mj76-fpj2https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MYD5QV66OLDHES6IKVYYM3Y3YID3VVCO/https://github.com/fluent/fluentd/commit/48e5b85dab1b6d4c273090d538fc11b3f2fd8135https://github.com/fluent/fluentd/security/advisories/GHSA-fppq-mj76-fpj2https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MYD5QV66OLDHES6IKVYYM3Y3YID3VVCO/
2022-11-02
Published