Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

CVE-2024-4323 (tracing http monitoring api) does NOT impact aws-for-fluent-bit #826

Open
naoya7076 opened this issue May 22, 2024 · 5 comments

Comments

@naoya7076
Copy link

naoya7076 commented May 22, 2024

Describe the question/issue

A memory corruption vulnerability was found in Fluent Bit versions 2.0.7 thru 3.0.3.
Since it seems like version 1.9.10 is being used based on this changelog, there might be no possibility of being affected. However, will aws-for-fluent-bit be impacted by this vulnerability?

Correct. As far as we know there is no impact to AWS for Fluent Bit. #826 (comment)

Configuration

Fluent Bit Log Output

Fluent Bit Version Info

Cluster Details

Application Details

Steps to reproduce issue

Related Issues

https://www.cve.org/CVERecord?id=CVE-2024-4323

@naoya7076 naoya7076 changed the title Is CVE-2024-4323 affect aws-for-fluent-bit? Does CVE-2024-4323 affect aws-for-fluent-bit? May 22, 2024
@PettitWesley PettitWesley changed the title Does CVE-2024-4323 affect aws-for-fluent-bit? CVE-2024-4323 (tracing http monitoring api) does NOT impact aws-for-fluent-bit May 22, 2024
@PettitWesley
Copy link
Contributor

AFAIK, this is correct. AWS for Fluent Bit uses 1.9.10 and is not impacted. The CVE was introduced when they introduced tracing support, and our distro has not released that feature yet.

https://www.tenable.com/security/research/tra-2024-17

@naoya7076
Copy link
Author

Hi @PettitWesley ,
Thank you for your reply. Your response has resolved my concerns. I will now close this issue.
Best regards,

@PettitWesley
Copy link
Contributor

Keeping this open for a little while in case others have the same question

@arjunrk16
Copy link

@PettitWesley we are using stable version of aws-for-fluent-bit

public.ecr.aws/aws-observability/aws-for-fluent-bit:stable

I saw an article related to this which says

"The latest version of Fluent Bit, version 3.0.4, fixes this issue. We'd like to make sure you're aware of a security vulnerability (known as CVE-2024-4323) that impacts Fluent Bit versions 2.0. 7 through 3.0"

We are thinking to upgrade this now to 3.0.4 image, will this be resolving the issue ?

@dmitriy-drenkaliuk
Copy link

Would the image be impacted in the future when FluentBit version that it uses internally will be bumped? Or the impacted versions will be skipped?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

4 participants