In fluent-bit versions 2.1.8 through 2.2.1 HTTP requests are not properly verified before being processed. If an HTTP request is made without a ‘=’ being present in the body, the application is unable to parse the request, and creates an array full of null pointers. This causes a null pointer dereference later when the application attempts to load the parsed data, leading to an application crash. An attacker can use this vulnerability to cause a DoS on any Fluent Bit server that is configured to receive HTTP requests. As fluent-bit is a log router crashing the server can prevent logs from being delivered to the appropriate locations and create a visibility gap that attackers can further exploit. We were unable to find any RCE vulnerabilities stemming from this issue. A CVE, CVE-2024–23722, was created for this vulnerability. Reference: https://medium.com/@adurands82/fluent-bit-dos-vulnerability-cve-2024-23722-4e3e74af9d00
Mauro, I assume on v2.2.2 it ahs been already fixe. I am landing v2.2.2 for most of the branches so we should be good by end of last week, Could you just confirm if this documented in a issue on github fluent-bit repo ?