CVE-2022-39379
LOW3.1EPSS 6.0%Fluentd vulnerable to remote code execution due to insecure deserialization (in non-default configuration)
Description
Fluentd collects events from various data sources and writes them to files, RDBMS, NoSQL, IaaS, SaaS, Hadoop and so on. A remote code execution (RCE) vulnerability in non-default configurations of Fluentd allows unauthenticated attackers to execute arbitrary code via specially crafted JSON payloads. Fluentd setups are only affected if the environment variable `FLUENT_OJ_OPTION_MODE` is explicitly set to `object`. Please note: The option FLUENT_OJ_OPTION_MODE was introduced in Fluentd version 1.13.2. Earlier versions of Fluentd are not affected by this vulnerability. This issue was patched in version 1.15.3. As a workaround do not use `FLUENT_OJ_OPTION_MODE=object`.
Affected packages (2)
- Bitnami/fluentd>= 1.13.2, < 1.15.3
- RubyGems/fluentd>= 1.13.2, < 1.15.3
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | LOW3.1 | CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N |
References (7)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2022-39379
- PATCHhttps://github.com/fluent/fluentd
- WEBhttps://github.com/fluent/fluentd/commit/48e5b85dab1b6d4c273090d538fc11b3f2fd8135
- WEBhttps://github.com/fluent/fluentd/security/advisories/GHSA-fppq-mj76-fpj2
- WEBhttps://github.com/rubysec/ruby-advisory-db/blob/master/gems/fluentd/CVE-2022-39379.yml
- WEBhttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MYD5QV66OLDHES6IKVYYM3Y3YID3VVCO/
- WEBhttps://lists.fedoraproject.org/archives/list/[email protected]/message/MYD5QV66OLDHES6IKVYYM3Y3YID3VVCO