-
Notifications
You must be signed in to change notification settings - Fork 133
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
CVE-2024-4323 (tracing http monitoring api) does NOT impact aws-for-fluent-bit #826
Comments
AFAIK, this is correct. AWS for Fluent Bit uses 1.9.10 and is not impacted. The CVE was introduced when they introduced tracing support, and our distro has not released that feature yet. |
Hi @PettitWesley , |
Keeping this open for a little while in case others have the same question |
@PettitWesley we are using stable version of aws-for-fluent-bit public.ecr.aws/aws-observability/aws-for-fluent-bit:stable I saw an article related to this which says "The latest version of Fluent Bit, version 3.0.4, fixes this issue. We'd like to make sure you're aware of a security vulnerability (known as CVE-2024-4323) that impacts Fluent Bit versions 2.0. 7 through 3.0" We are thinking to upgrade this now to 3.0.4 image, will this be resolving the issue ? |
Would the image be impacted in the future when FluentBit version that it uses internally will be bumped? Or the impacted versions will be skipped? |
Describe the question/issue
A memory corruption vulnerability was found in Fluent Bit versions 2.0.7 thru 3.0.3.
Since it seems like version 1.9.10 is being used based on this changelog, there might be no possibility of being affected. However, will aws-for-fluent-bit be impacted by this vulnerability?
Configuration
Fluent Bit Log Output
Fluent Bit Version Info
Cluster Details
Application Details
Steps to reproduce issue
Related Issues
https://www.cve.org/CVERecord?id=CVE-2024-4323
The text was updated successfully, but these errors were encountered: