%20(1).webp?w=1920&resize=1920,0&ssl=1 "Vital Vulnerability in Fluent Bit Exposes Cloud Companies to Potential Cyber Assaults")
A crucial safety flaw in Fluent Bit, a broadly adopted log processing and metrics assortment software a part of the Cloud Native Computing Basis (CNCF), has uncovered enterprise cloud infrastructures to denial-of-service (DoS) assaults.
Designated as CVE-2024-50608 and CVE-2024-50609, these vulnerabilities—scoring 8.9 on the CVSS v3.1 severity scale—stem from improper dealing with of HTTP headers within the Prometheus Distant Write and OpenTelemetry enter plugins.
Researchers at Ebryx found that attackers might exploit these flaws by sending malicious payloads with Content material-Size: 0, triggering a null pointer dereference (CWE-476) and crashing the service1.
Technical Breakdown of the Vulnerabilities
The vulnerabilities reside in Fluent Bit’s HTTP server implementation, which processes incoming requests for metrics ingestion.
When the affected plugins obtain a POST request with a Content material-Size header set to zero, the parser fails to validate the enter, dereferencing an uninitialized reminiscence pointer.
For instance, the next curl command reliably crashes unpatched situations:
bashcurl --path-as-is -i -s -k -X POST
-H "Host: localhost:8080"
-H "Content material-Size: 0"
--data-binary 'message "RkFSQU46TUVHQUNIQVIweDAx"'
http://127.0.0.1:9090/api/promenade/push
The crash happens within the cfl_sds_len perform, which makes an attempt to calculate the size of a null pointer handed from the HTTP payload processing layer.
Backtrace evaluation revealed the flawed logic within the header_lookup perform, the place Content material-Size validation lacked checks for zero or adverse values1:
celse if (i == MK_HEADER_CONTENT_LENGTH) {
// ...
if (val <= 0) { // Pre-patch: solely checked for val < 0
return -1;
}
p -> header_content_length = val;
}
A second vulnerability, an out-of-bounds write (CWE-787), was recognized in programs with >32 CPU cores.
Fluent Bit’s ne_utils_file_read_uint64 perform improperly listed a statically allotted array core_throttles_set[256], inflicting segmentation faults on multi-core servers1.
Fuzzing Methodology and Impression
Ebryx employed boofuzz, a community protocol fuzzer, to probe Fluent Bit’s enter handlers.
The crew focused three crucial plugins—HTTP, Prometheus Distant Write, and OpenTelemetry—utilizing mutational fuzzing methods.
For the OpenTelemetry plugin, this concerned manipulating protocol buffers (Protobuf) and HTTP headers:
pythonfrom boofuzz import *
session = Session(goal=Goal(connection=TCPSocketConnection("localhost", 4318)))
s_initialize("HTTP POST")
s_static("Content material-Size: 0rnrn") # Crash-inducing header
session.join(s_get("HTTP POST"))
session.fuzz()
The fuzzing marketing campaign revealed that each one OpenTelemetry endpoints (/v1/traces, /v1/logs, /v1/metrics) had been inclined to crashes.
In manufacturing environments, this might disrupt log aggregation pipelines, impairing visibility into software efficiency and safety occasions.
Mitigation and Patch Deployment
The Fluent Bit maintainers have launched patches validating Content material-Size headers and including bounds checks for CPU core indices.
Directors should improve to:
- Fluent Bit v3.0.4 (secure)
- Fluent Bit v2.2.2 (LTS)
Configuration hardening can be suggested:
textual content[INPUT]
identify opentelemetry
pay attention 0.0.0.0
port 4318
# Allow TLS to mitigate unauthenticated assaults
tls on
tls.cert_file /and so forth/ssl/certs/fluent-bit.crt
tls.key_file /and so forth/ssl/personal/fluent-bit.key
Trade Implications
With over 15 billion downloads and 10 million every day deployments, Fluent Bit underpins observability stacks at main cloud suppliers.
Unpatched situations danger cascading failures in Kubernetes clusters, serverless platforms, and SaaS monitoring instruments.
Ebryx’s findings underscore the crucial want for protocol-level fuzz testing in CNCF initiatives—particularly for parts processing untrusted community data1.
As enterprises speed up cloud adoption, securing the “pipes” of telemetry information turns into as essential as safeguarding software code.
Free Webinar: Higher SOC with Interactive Malware Sandbox for Incident Response, and Risk Looking - Register Right here