cbcvebase.
CVE-2022-39379
published 2022-11-02

CVE-2022-39379: Fluentd collects events from various data sources and writes them to files, RDBMS, NoSQL, IaaS, SaaS, Hadoop and so on. A remote code execution (RCE)…

PriorityP277critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
44.71%
98.6th percentile
Fluentd collects events from various data sources and writes them to files, RDBMS, NoSQL, IaaS, SaaS, Hadoop and so on. A remote code execution (RCE) vulnerability in non-default configurations of Fluentd allows unauthenticated attackers to execute arbitrary code via specially crafted JSON payloads. Fluentd setups are only affected if the environment variable `FLUENT_OJ_OPTION_MODE` is explicitly set to `object`. Please note: The option FLUENT_OJ_OPTION_MODE was introduced in Fluentd version 1.13.2. Earlier versions of Fluentd are not affected by this vulnerability. This issue was patched in version 1.15.3. As a workaround do not use `FLUENT_OJ_OPTION_MODE=object`.

Affected

5 ranges
VendorProductVersion rangeFixed in
fedoraprojectfedora
fluentfluentd
fluentdfluentd>= 1.13.2 < 1.15.31.15.3
fluentdfluentd>= 1.13.2 < 1.15.31.15.3
msrccbl2_rubygem-fluentd_1.14.6-2_on_cbl_mariner_2.0

Detection & IOCsextracted from sources · hover to see the quote

  • Fluentd RCE is only triggerable when the environment variable FLUENT_OJ_OPTION_MODE is explicitly set to 'object'; scan deployments for this non-default configuration as a prerequisite indicator of exploitability.
  • The attack vector is unauthenticated, inbound, specially crafted JSON payloads — monitor Fluentd input endpoints for anomalous or oversized JSON with embedded object/class instantiation constructs (Oj object mode deserialization gadgets).
  • Only Fluentd versions 1.13.2 through 1.15.2 are affected (FLUENT_OJ_OPTION_MODE was introduced in 1.13.2); versions below 1.13.2 are not vulnerable — use version fingerprinting to scope affected assets.
  • ·Vulnerability is only present in non-default configurations where FLUENT_OJ_OPTION_MODE=object is explicitly set; default Fluentd deployments are NOT affected.
  • ·Red Hat's openshift-logging/fluentd-rhel8 (Logging Subsystem for Red Hat OpenShift) is confirmed Not Affected.
  • ·Workaround: do not set FLUENT_OJ_OPTION_MODE=object in any Fluentd deployment environment.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vendor_msrc9.8CRITICAL
vendor_redhat3.1LOW
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.