Headline
CVE-2022-39379: Remove `object` from the available list of `FLUENT_OJ_OPTION_MODE` · fluent/fluentd@48e5b85
Fluentd collects events from various data sources and writes them to files, RDBMS, NoSQL, IaaS, SaaS, Hadoop and so on. A remote code execution (RCE) vulnerability in non-default configurations of Fluentd allows unauthenticated attackers to execute arbitrary code via specially crafted JSON payloads. Fluentd setups are only affected if the environment variable FLUENT_OJ_OPTION_MODE
is explicitly set to object
. Please note: The option FLUENT_OJ_OPTION_MODE was introduced in Fluentd version 1.13.2. Earlier versions of Fluentd are not affected by this vulnerability. This issue was patched in version 1.15.3. As a workaround do not use FLUENT_OJ_OPTION_MODE=object
.
Permalink
Browse files
Remove object from the available list of FLUENT_OJ_OPTION_MODE
There is less benefit by this option in actual, and it will instroduce serious security risk since it can execute arbitrary Ruby code. We remove it since keeping it secure is difficult.
ref: GHSL-2022-067
Signed-off-by: Takuro Ashie [email protected]
- Loading branch information
Related news
### Impact A remote code execution (RCE) vulnerability in non-default configurations of Fluentd allows unauthenticated attackers to execute arbitrary code via specially crafted JSON payloads. Fluentd setups are only affected if the environment variable `FLUENT_OJ_OPTION_MODE` is explicitly set to `object`. Please note: The option FLUENT_OJ_OPTION_MODE was introduced in Fluentd version 1.13.2. Earlier versions of Fluentd are not affected by this vulnerability. ### Patches v1.15.3 ### Workarounds Do not use `FLUENT_OJ_OPTION_MODE=object`. ### References * GHSL-2022-067