CVE-2024-4323 — Linguistic Lumberjack: Heap-based Buffer Overflow in Fluent BIT

CWE-122 — Heap-based Buffer Overflow CWE-787 — Out-of-bounds Write7 documents7 sources

Severity

9.8CRITICALNVD

EPSS

84.6%

top 0.66%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Treasuredata Fluent BIT Fluent BIT Msrc Azl3 Fluent-bit 3.0.3-1 ON Azure Linux 3.0 +7 more

Timeline

PublishedMay 20

Description

A memory corruption vulnerability in Fluent Bit versions 2.0.7 thru 3.0.3. This issue lies in the embedded http server’s parsing of trace requests and may result in denial of service conditions, information disclosure, or remote code execution.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages10 packages

▶NVDtreasuredata/fluent_bit2.0.7 — 2.2.3+1

▶CVEListV5fluent_bit/fluent_bit2.0.7 — 3.0.3

▶msrcmsrc/azl3_fluent-bit_3.0.3-1_on_azure_linux_3.0

▶msrcmsrc/azl3_fluent-bit_3.0.6-1_on_azure_linux_3.0

▶msrcmsrc/cbl2_fluent-bit_2.2.3-1_on_cbl_mariner_2.0

Patches

Patch: github.com ↗Patch: tenable.com ↗Patch: github.com ↗

🔴Vulnerability Details

GHSA

GHSA-68mr-468g-4wmg: A memory corruption vulnerability in Fluent Bit versions 2↗2024-05-20

▶

📋Vendor Advisories

Microsoft

Fluent Bit Memory Corruption Vulnerability↗2024-05-14

▶

🕵️Threat Intelligence

Bleepingcomputer

Critical Fluent Bit flaw impacts all major cloud providers↗2024-05-20

▶

Tenable

Linguistic Lumberjack: Attacking Cloud Services via Logging Endpoints (Fluent Bit - CVE-2024-4323)↗2024-05-20

▶

Greynoiseio

NoiseLetter May 2024↗

▶

💬Community

Bugzilla

CVE-2017-12839 mpg123: heap-based buffer over-read in function getbits insrc/libmpg123/getbits.h↗2019-05-10

▶