A flaw has been discovered in Fluent Bit that potentially impacts users of all major cloud platforms. The vulnerability in the logging and metrics solution, discovered by cybersecurity researchers at Tenable, could allow hackers to mount remote execution or denial-of-service (DDoS) attacks. Fluent Bit is found in many Kubernetes distributions, including those with Microsoft Azure, Google Cloud and AWS. Tech Monitor has reached out to Fluent Bit for comment. 

“If deployed in your own infrastructure and environments, it is recommended to upgrade to the latest version [of Fluent Bit] as soon as possible,” wrote Jimi Seebree, a senior staff research engineer at the cybersecurity firm. “If upgrading is not possible, it is recommended to review any applicable configurations in your environment that allow access to Fluent Bit’s monitoring API to ensure that only authorised users and services are able to query it. If unused, be sure to disable this endpoint.”

A flaw named CVE-2024-4323 has been discovered in Fluent Bit’s monitoring API for cloud services. (Photo by Shutterstock)

Fluent Bit flaw can be exploited to retrieve adjacent memory

Fluent Bit is a so-called logging utility used by cloud computing customers to monitor aspects of the service, including plugin metrics or service uptime. Tenable researchers discovered a memory corruption flaw in this API, known officially as CVE-2024-4323, while investigating another security flaw in an unnamed cloud provider. “By passing non-string values, such as integers, in the “inputs” array of a request,” wrote Seebree, the researchers discovered that “it is possible to cause a variety of memory corruption issues” and crash the service. 

The team were also able to retrieve adjacent memory, he added. Though this usually reveals only previous metrics requests, said Seebree, “the researchers were able to occasionally retrieve partial secrets during their testing, indicating that this issue could potentially leak sensitive information.” This would be contingent on several factors, including the host architecture and operating system and the patience of the threat actor, who would have to expend a significant amount of time to mount such an attack. 

Major cloud providers informed

According to Seebree, Tenable informed Fluent Bit about the flaw on 30 April and Amazon, Google and Microsoft on 15 May. At the time of writing, Fluent Bit has not made a statement about CVE-2024-4323 on its website

“While these utilities are known to contain lots of juicy information for attackers, it’s important to realize that information leakage isn’t the only thing to be concerned with,” concluded Seebree. “It’s essential for organizations to update these utilities regularly, adopt adequate defense-in-depth measures, and utilize the principle of least privilege to ensure these tools cannot be misused by attackers.”

Read more: Is cloud security automation really the future?