Critical Fluent Bit flaw impacts all major cloud providers

​A critical Fluent Bit vulnerability that can be exploited in denial-of-service and remote code execution attacks impacts all major cloud providers and many technology giants.

Fluent Bit is an extremely popular logging and metrics solution for Windows, Linux, and macOS embedded in major Kubernetes distributions, including those from Amazon AWS, Google GCP, and Microsoft Azure.

Until March 2024, Fluent Bit was downloaded and deployed over 13 billion times, a massive increase from the three billion downloads reported in October 2022.

Fluent Bit is also used by cybersecurity firms like Crowdstrike and Trend Micro, and many tech companies, such as Cisco, VMware, Intel, Adobe, and Dell.

Tracked as CVE-2024-4323 and dubbed Linguistic Lumberjack by Tenable security researchers who discovered it, this critical memory corruption vulnerability was introduced with version 2.0.7 and is caused by a heap buffer overflows weakness in Fluent Bit's embedded HTTP server's parsing of trace requests.

Even though unauthenticated attackers can easily exploit the security flaw to trigger denial-of-service or to capture sensitive information remotely, they could also use it to gain remote code execution if given the right conditions and enough time to create a reliable exploit.

"While heap buffer overflows such as this are known to be exploitable, creating a reliable exploit is not only difficult, but incredibly time intensive," Tenable said.

"The researchers believe that the most immediate and primary risks are those pertaining to the ease with which DoS and information leaks can be accomplished."

Patches shipping with Fluent Bit 3.0.4

Tenable reported the security bug to the vendor on April 30, and official patches have now shipped with Fluent Bit 3.0.4 (Linux packages are available here).

Tenable also notified Microsoft, Amazon, and Google of this critical security bug on May 15 through their vulnerability disclosure platforms.

Customers who have deployed this logging utility on their own infrastructure can also mitigate the issue by limiting access to Fluent Bit's monitoring API to authorized users and services.

You can also disable the vulnerable API endpoint if it's not being used to prevent potential attacks and remove the attack surface.

Update: Added link to patched release.