[Alert] CVE-2022-39379: Remote Code Execution in Fluentd with non-default configurations

Fluentd is a popular open-source data collector that gathers events from various sources and efficiently writes them to files, RDBMS, NoSQL, IaaS, SaaS, Hadoop, and more. However, a recently discovered remote code execution (RCE) vulnerability in non-default configurations of Fluentd can potentially put users at risk, especially when processing JSON payloads from untrusted sources.

Vulnerability Overview

This critical vulnerability (CVE-2022-39379) allows unauthenticated attackers to execute arbitrary code by sending specially crafted JSON payloads to affected Fluentd instances. It's important to note that only Fluentd setups that have the environment variable FLUENT_OJ_OPTION_MODE explicitly set to object are impacted by this security bug.

The option (FLUENT_OJ_OPTION_MODE) was added in Fluentd version 1.13.2, which means earlier versions are not affected by this vulnerability.

Affected Fluentd versions: 1.13.2 - 1.15.2
Patched version: 1.15.3

Exploit Details

An attacker can exploit this vulnerability by sending a malicious JSON payload with embedded Ruby code to an affected Fluentd instance. The following is an example snippet of a potentially harmful JSON payload:

{
  "@timestamp": "2022-01-01T00:00:00.000Z",
  "message": "test_message",
  "vuln_payload": "{\"___classid___\":\"Fluent::Plugin::ObjectBufferedOutput::ObjectBuffer\"}"
}

When processed by a vulnerable Fluentd instance, this payload results in the execution of the embedded Ruby code.

- CVE-2022-39379
- GitHub Security Advisory - Fluentd

Mitigation Steps

To mitigate this vulnerability, it's strongly advised to upgrade to the patched Fluentd version (1.15.3) as soon as possible.

Don't use FLUENT_OJ_OPTION_MODE=object in your Fluentd configuration.

By avoiding the use of the object mode in the FLUENT_OJ_OPTION_MODE option, you can prevent the vulnerable code execution path. This workaround may not be ideal for all environments, so it's highly recommended to update Fluentd to version 1.15.3 or later.

Conclusion

Securing your Fluentd instances is crucial to safeguarding your sensitive data and preventing unauthorized access to your systems. By applying the recommended mitigation steps or upgrading to version 1.15.3, you can mitigate the risks associated with CVE-2022-39379. Remember to continue monitoring your Fluentd deployments and apply updates promptly to avoid any future vulnerabilities.

Timeline

Published on: 11/02/2022 13:15:00 UTC
Last modified on: 11/04/2022 15:41:00 UTC