Introduction

At Aqua Security, our commitment to safeguarding cyber environments means we vigilantly monitor emerging threats that could impact the robust ecosystems our customers rely on. A recent critical vulnerability discovered in Fluent Bit, a key logging utility used widely across cloud services, demands immediate attention. Known as CVE-2024-4323, this vulnerability, dubbed "Linguistic Lumberjack," poses significant risks, including denial of service, information disclosure, and potential remote code execution.


The CVE-2024-4323 Vulnerability Explained

On April 30, 2024, Tenable Research disclosed a critical memory corruption vulnerability within Fluent Bit’s built-in HTTP server. This issue, introduced in version 2.0.7 and persisting through 3.0.3, has been resolved in the main source branch and is expected to be officially fixed in release 3.0.4. The vulnerability, if exploited, could lead to severe security breaches, including:

  • Denial of Service (DoS): Disruption of service availability.
  • Information Disclosure: Unauthorized access to sensitive information.
  • Remote Code Execution (RCE): Execution of arbitrary code, potentially leading to full system compromise.


Overview of Fluent Bit

Fluent Bit is an open-source data collector and processor designed for high scalability and ease of use, making it a preferred choice for log management in cloud-based environments. With over 3 billion downloads and more than 10 million daily deployments, Fluent Bit is integral to the monitoring infrastructure of major cloud providers.


Aqua Security's Assurance

In light of CVE-2024-4323, we want to assure our customers that Aqua Security products and images are unaffected by this vulnerability. Here’s why:

  • No Usage of Fluent Bit: Our codebase does not utilize Fluent Bit, and our analysis shows no evidence of sub-dependencies using this package.
  • Secure Images: All Aqua Security images are verified to be free from this vulnerability.


Immediate Mitigation Steps

To address CVE-2024-4323, we recommend the following actions:

  1. Upgrade Fluent Bit: Immediately update Fluent Bit to version 3.0.4 or later to mitigate this vulnerability.
  2. Limit Access: Restrict access to the vulnerable HTTP endpoint as an additional precaution.


Aqua Security's Plan and Actions


Preliminary Analysis and Next Steps:


Based on our research, we will be reporting CVE-2024-4323 only on the OSS executable. Vendor packages for Fluent Bit will show as unaffected until the vendors publish an advisory for it. This vulnerability can be exploited for Denial-of-Service (DoS) and also has a proof-of-concept (PoC) exploit available. You can find more details on the PoC exploit here: CVE-2024-4323 Exploit PoC.


CVE Reporting:

  • CyberCenter Integration:The detection and CyberCenter changes have been completed. CVE-2024-4323 will be added to Aqua’s CyberCenter to report vulnerable versions.
    • Availability: CyberCenter updates will reflect around 6:30 PM UTC on May 24th. You can then search for the CVE in CyberCenter. As of now, the online CyberCenter of both Trivy & Classic should be working as expected, detecting the executable and reporting the vulnerability.


  • Executable Feeds Update:We are enhancing our capabilities to detect the Fluent Bit executable to identify vulnerable versions accurately.
    • Availability: The updated executable feeds will be available within 24 hours. Customers will receive this updated feed, enabling detection of the Fluent Bit executable with CVE-2024-4323 reported on it.



Current Status:

- Trivy Detection: Trivy is now able to successfully detect the Fluent Bit CVE.

- Offline CyberCenter: The new Offline CyberCenter image with Fluent Bit detection will be ready. The timestamp on the Offline CyberCenter image is added as part of a label:

"Labels": {"com.aquasec.builddate": "2024-05-25T12:15" }


Conclusion

At Aqua Security, we remain dedicated to protecting our customers from cybersecurity threats through continuous vigilance and advanced security solutions. Our proactive measures ensure that you are safeguarded against vulnerabilities like CVE-2024-4323. For more detailed updates and security insights, stay tuned to our official documentation.


Additional Resources

[1] https://www.tenable.com/blog/linguistic-lumberjack-attacking-cloud-services-via-logging-endpoints-fluent-bit-cve-2024-4323

[2] https://www.tenable.com/security/research/tra-2024-17


image