Bug 2019184 (CVE-2021-41186)

Summary: CVE-2021-41186 fluentd: ReDoS vulnerability in parser_apache2
Product: [Other] Security Response Reporter: Guilherme de Almeida Suckevicz <gsuckevi>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED WONTFIX QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: adsoni, alitman, aos-bugs, bmontgom, dbecker, eparis, ewolinet, jbadiapa, jburrell, jcantril, jjoyce, jokerman, jschluet, lars, lhh, lpeer, mburns, mmagr, mrunge, nstielau, rmccabe, sclewis, slinaber, sponnaga, sradco, tvignaud
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: fluentd 1.14.2 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-11-30 20:09:19 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2019185    
Bug Blocks: 2019186    

Description Guilherme de Almeida Suckevicz 2021-11-01 19:39:50 UTC 
Fluentd collects events from various data sources and writes them to files to help unify logging infrastructure. The parser_apache2 plugin in Fluentd v0.14.14 to v1.14.1 suffers from a regular expression denial of service (ReDoS) vulnerability. A broken apache log with a certain pattern of string can spend too much time in a regular expression, resulting in the potential for a DoS attack. This issue is patched in version 1.14.2 There are two workarounds available. Either don't use parser_apache2 for parsing logs (which cannot guarantee generated by Apache), or put patched version of parser_apache2.rb into /etc/fluent/plugin directory (or any other directories specified by the environment variable `FLUENT_PLUGIN` or `--plugin` option of fluentd).

Reference:
https://github.com/fluent/fluentd/security/advisories/GHSA-hwhf-64mh-r662
Comment 1 Guilherme de Almeida Suckevicz 2021-11-01 19:40:05 UTC 
Created puppet-fluentd tracking bugs for this issue:

Affects: openstack-rdo [bug 2019185]
Comment 5 Product Security DevOps Team 2021-11-30 20:09:16 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2021-41186