Security
Headlines
HeadlinesLatestCVEs

Headline

GHSA-fppq-mj76-fpj2: fluentd vulnerable to remote code execution due to insecure deserialization (in non-default configuration)

Impact

A remote code execution (RCE) vulnerability in non-default configurations of Fluentd allows unauthenticated attackers to execute arbitrary code via specially crafted JSON payloads.

Fluentd setups are only affected if the environment variable FLUENT_OJ_OPTION_MODE is explicitly set to object.

Please note: The option FLUENT_OJ_OPTION_MODE was introduced in Fluentd version 1.13.2. Earlier versions of Fluentd are not affected by this vulnerability.

Patches

v1.15.3

Workarounds

Do not use FLUENT_OJ_OPTION_MODE=object.

References

  • GHSL-2022-067
ghsa
#vulnerability#js#rce#auth

Impact

A remote code execution (RCE) vulnerability in non-default configurations of Fluentd allows unauthenticated attackers to execute arbitrary code via specially crafted JSON payloads.

Fluentd setups are only affected if the environment variable FLUENT_OJ_OPTION_MODE is explicitly set to object.

Please note: The option FLUENT_OJ_OPTION_MODE was introduced in Fluentd version 1.13.2. Earlier versions of Fluentd are not affected by this vulnerability.

Patches

v1.15.3

Workarounds

Do not use FLUENT_OJ_OPTION_MODE=object.

References

  • GHSL-2022-067

References

  • GHSA-fppq-mj76-fpj2
  • fluent/fluentd@48e5b85

Related news

CVE-2022-39379: Remove `object` from the available list of `FLUENT_OJ_OPTION_MODE` · fluent/fluentd@48e5b85

Fluentd collects events from various data sources and writes them to files, RDBMS, NoSQL, IaaS, SaaS, Hadoop and so on. A remote code execution (RCE) vulnerability in non-default configurations of Fluentd allows unauthenticated attackers to execute arbitrary code via specially crafted JSON payloads. Fluentd setups are only affected if the environment variable `FLUENT_OJ_OPTION_MODE` is explicitly set to `object`. Please note: The option FLUENT_OJ_OPTION_MODE was introduced in Fluentd version 1.13.2. Earlier versions of Fluentd are not affected by this vulnerability. This issue was patched in version 1.15.3. As a workaround do not use `FLUENT_OJ_OPTION_MODE=object`.