Critical vulnerability exposed in Fluent Bit, affecting all cloud providers

2024.05.21

A critical vulnerability in Fluent Bit can be exploited for denial of service and remote code execution attacks, and all major cloud providers are potentially affected.

Fluent Bit is a very popular logging and metrics solution for Windows, Linux, and macOS. It is mainly found in Kubernetes distributions, including distributions of Amazon AWS, Google GCP, and Microsoft Azure.


As of March 2024, Fluent Bit has been downloaded and deployed more than 13 billion times, a significant increase from the 3 billion downloads reported in October 2022.

Fluent Bit is also used by cybersecurity companies such as Crowdstrike and Trend Micro, as well as many technology companies including Cisco, VMware, Intel, Adobe, and Dell.

Tenable security researchers dubbed the vulnerability Linguistic Lumberjack and tracked it as CVE-2024-4323. It is reported that the vulnerability was introduced in version 2.0.7 and is caused by a heap buffer overflow vulnerability in Fluent Bit's embedded HTTP server when parsing tracking requests.

While an unauthenticated attacker could easily exploit this security flaw to trigger a denial of service or remotely capture sensitive information, they could also exploit it to gain remote code execution if given the right conditions and enough time to create a reliable vulnerability.

Tenable security researchers said: Although heap buffer overflows can be exploited, creating a reliable vulnerability is not only difficult and time-consuming.

Researchers believe that the most immediate and major risks are those related to the ease of DoS and information leakage.

Patch released with Fluent Bit 3.0.4

On April 30, Tenable reported the security vulnerability to the supplier and submitted a patch for the vulnerability on May 15. The official version containing the patch is expected to be released with Fluent Bit 3.0.4.

Tenable also notified Microsoft, Amazon and Google of this critical security flaw through its vulnerability disclosure platform.

Tenable said last Wednesday (May 15) that until all affected platforms are fixed, customers who have deployed the logging tool on their infrastructure can be relieved by restricting access to Fluent Bit’s monitoring API to authorized users and services. This question.

If this vulnerable API endpoint is not used, it can also be disabled to minimize security risks.