Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2022-39379: Remove `object` from the available list of `FLUENT_OJ_OPTION_MODE` · fluent/fluentd@48e5b85

Fluentd collects events from various data sources and writes them to files, RDBMS, NoSQL, IaaS, SaaS, Hadoop and so on. A remote code execution (RCE) vulnerability in non-default configurations of Fluentd allows unauthenticated attackers to execute arbitrary code via specially crafted JSON payloads. Fluentd setups are only affected if the environment variable FLUENT_OJ_OPTION_MODE is explicitly set to object. Please note: The option FLUENT_OJ_OPTION_MODE was introduced in Fluentd version 1.13.2. Earlier versions of Fluentd are not affected by this vulnerability. This issue was patched in version 1.15.3. As a workaround do not use FLUENT_OJ_OPTION_MODE=object.

CVE
#sql#vulnerability#js#rce#auth#ruby

Permalink

Browse files

Remove object from the available list of FLUENT_OJ_OPTION_MODE

There is less benefit by this option in actual, and it will instroduce serious security risk since it can execute arbitrary Ruby code. We remove it since keeping it secure is difficult.

ref: GHSL-2022-067

Signed-off-by: Takuro Ashie [email protected]

  • Loading branch information

Related news

GHSA-fppq-mj76-fpj2: fluentd vulnerable to remote code execution due to insecure deserialization (in non-default configuration)

### Impact A remote code execution (RCE) vulnerability in non-default configurations of Fluentd allows unauthenticated attackers to execute arbitrary code via specially crafted JSON payloads. Fluentd setups are only affected if the environment variable `FLUENT_OJ_OPTION_MODE` is explicitly set to `object`. Please note: The option FLUENT_OJ_OPTION_MODE was introduced in Fluentd version 1.13.2. Earlier versions of Fluentd are not affected by this vulnerability. ### Patches v1.15.3 ### Workarounds Do not use `FLUENT_OJ_OPTION_MODE=object`. ### References * GHSL-2022-067

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907