2271642 – (CVE-2024-23722) CVE-2024-23722 fluent-bit: NULL pointer dereference leads to server crash

Bug 2271642 (CVE-2024-23722) - CVE-2024-23722 fluent-bit: NULL pointer dereference leads to server crash

Summary: CVE-2024-23722 fluent-bit: NULL pointer dereference leads to server crash

Keywords:
Status:	NEW
Alias:	CVE-2024-23722
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	---
Assignee:	Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2024-03-26 16:57 UTC by Mauro Matteo Cascella
Modified:	2024-04-23 18:00 UTC (History)
CC List:	1 user (show)
Fixed In Version:	fluent-bit 2.2.2
Doc Type:	---
Doc Text:	A NULL pointer dereference issue was found in Fluent Bit. HTTP requests are not properly verified before being processed. If an HTTP request is made without a '=' being present in the body, the application is unable to parse the request, and creates an array full of NULL pointers. This causes a NULL pointer dereference later when the application attempts to load the parsed data, leading to an application crash. An attacker can use this vulnerability to cause a denial of service on any Fluent Bit server that is configured to receive HTTP requests. As fluent-bit is a log router crashing the server can prevent logs from being delivered to the appropriate locations.
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description Mauro Matteo Cascella 2024-03-26 16:57:09 UTC

In fluent-bit versions 2.1.8 through 2.2.1 HTTP requests are not properly verified before being processed. If an HTTP request is made without a ‘=’ being present in the body, the application is unable to parse the request, and creates an array full of null pointers. This causes a null pointer dereference later when the application attempts to load the parsed data, leading to an application crash. An attacker can use this vulnerability to cause a DoS on any Fluent Bit server that is configured to receive HTTP requests. As fluent-bit is a log router crashing the server can prevent logs from being delivered to the appropriate locations and create a visibility gap that attackers can further exploit. We were unable to find any RCE vulnerabilities stemming from this issue. A CVE, CVE-2024–23722, was created for this vulnerability.

Reference:
https://medium.com/@adurands82/fluent-bit-dos-vulnerability-cve-2024-23722-4e3e74af9d00

Comment 1 leoswaldo 2024-04-23 18:00:59 UTC

Mauro, I assume on v2.2.2 it ahs been already fixe. I am landing v2.2.2 for most of the branches so we should be good by end of last week, Could you just confirm if this documented in a issue on github fluent-bit repo ?

Note You need to log in before you can comment on or make changes to this bug.