Fluent Bit, a leading log processing and metrics collection tool under the Cloud Native Computing Foundation (CNCF), has been found vulnerable to critical security flaws that could expose cloud infrastructures to denial-of-service (DoS) attacks.
Identified as CVE-2024-50608 and CVE-2024-50609, these vulnerabilities score 8.9 on the CVSS v3.1 scale and affect the Prometheus Remote Write and OpenTelemetry input plugins due to improper handling of HTTP headers.
Researchers at Ebryx discovered that attackers could exploit the flaws by sending POST requests with a Content-Length: 0 header, leading to a null pointer dereference (CWE-476) and crashing the service.
curl --path-as-is -i -s -k -X POST \
-H "Host: localhost:8080" \
-H "Content-Length: 0" \
--data-binary 'message "RkFSQU46TUVHQUNIQVIweDAx"' \
http://127.0.0.1:9090/api/prom/push
The issue arises from the cfl_sds_len function, which tries to compute the length of a null pointer, leading to a crash. In addition, a logic gap in the header_lookup function failed to properly validate Content-Length values:
if (val <= 0) { // Pre-patch: only checked for val < 0
return -1;
}
p->header_content_length = val;
A second vulnerability (CWE-787: Out-of-Bounds Write) affects systems with over 32 CPU cores, where improper array indexing in the ne_utils_file_read_uint64 function could trigger segmentation faults.
Using the boofuzz fuzzer, researchers identified that multiple OpenTelemetry endpoints (/v1/traces, /v1/logs, /v1/metrics) were vulnerable. Successful exploitation could crash Fluent Bit, disrupting log aggregation and compromising observability in production environments.
With Fluent Bit supporting over 15 billion downloads and 10 million daily deployments, unpatched instances could destabilize Kubernetes clusters, serverless platforms, and SaaS monitoring tools.
Fluent Bit maintainers have released patches to address the vulnerabilities:
Administrators should:
[INPUT]
name opentelemetry
listen 0.0.0.0
port 4318
tls on
tls.cert_file /etc/ssl/certs/fluent-bit.crt
tls.key_file /etc/ssl/private/fluent-bit.key
This incident highlights the importance of protocol-level fuzz testing in CNCF projects, especially for components managing external data. As cloud adoption grows, securing telemetry pipelines is as vital as protecting application code.
Organizations are urged to apply patches promptly and strengthen monitoring strategies to mitigate potential threats.
