Security outfit Tenable says it has found a critical memory corruption flaw in Fluent Bit's built-in HTTP server that could allow an attacker to carry out a denial of service information leakage or remote code execution.
In a statement, the company said it had named the flaw Linguistic Lumberjack and informed the maintainers of the project on 30 April. Fixes had been committed on 15 May and would be available in the next release, 3.0.4. The issue has been assigned CVE-2024-4323.
The Tenable statement described Fluent Bit as a small, open-source data collector and processor that could handle big amounts of log data from different sources.
The server was designed to be scalable and easy to use, which made it ideal for collecting and processing logs in cloud-based environments.
{loadposition sam08}Fluent Bit has been downloaded more than three billion times as of 2022, there are more than 10 million deployments each day and it is used heavily in most major cloud providers' infrastructure.
"Nearly every large cloud provider uses this utility, which is known to contain lots of juicy information for attackers," said Tenable staff research engineer Jimi Sebree.
"It’s important to realise that information leakage, denial of service and remote code execution are all possible outcomes if the latest version is not being used.
"Organisations should update these utilities regularly, adopt adequate defence-in-depth measures, and utilise the principle of least privilege to ensure these tools cannot be misused by attackers."
Tenable said updating to the latest version was advised. Else, users could limit access to a vulnerable endpoint.
The company has published a detailed blog post about the vulnerability.