Fluent Bit DoS Vulnerability — CVE-2024–23722

In fluent-bit versions 2.1.8 through 2.2.1 HTTP requests are not properly verified before being processed. If an HTTP request is made without a ‘=’ being present in the body, the application is unable to parse the request, and creates an array full of null pointers. This causes a null pointer dereference later when the application attempts to load the parsed data, leading to an application crash. An attacker can use this vulnerability to cause a DoS on any Fluent Bit server that is configured to receive HTTP requests. As fluent-bit is a log router crashing the server can prevent logs from being delivered to the appropriate locations and create a visibility gap that attackers can further exploit. We were unable to find any RCE vulnerabilities stemming from this issue. A CVE, CVE-2024–23722, was created for this vulnerability.

A POC for the vulnerability can be found here: https://github.com/alexcote1/CVE-2024-23722-poc

Below is a screenshot of exploitation. In the top terminal the Fluent Bit server is running. In the bottom terminal a HTTP request with no ‘=’ in the body is sent to the server. The server crashes and a stack trace is printed to the top terminal.

The vulnerable line of code is found in fluent-bit/plugins/in_http/http_prot.c. On line 440 the server tries to “jump” to the first equal sign in the body. No checks are performed to see if an equals sign even exists.

This leads to the “keys” array being empty, causing a null deference on line 457 when a function is called on it. This causes the server to crash.

Fluent-bit should not be exposed publicly, and any instances you have should be updated to at least version 2.2.2 to resolve this issue.

Credit to Alexander Cote for discovering this vulnerability and Aiden Durand for helping with investigation and triage.