Fluent Bit OpenTelemetry and Fluent Bit Prometheus Vulnerability

Crow

 2  Fluent Bit OpenTelemetry and Fluent Bit Prometheus Vulnerability

CVE-2024-50609 – Fluent Bit OpenTelemetry Input Plugin Remote DoS Vulnerability 

Overview 

CVE-2024-50609 is a critical denial-of-service (DoS) vulnerability affecting Fluent Bit 3.1.9. The flaw resides in the OpenTelemetry input plugin, which crashes when processing an HTTP request with Content-Length: 0. Attackers with network access to the plugin’s endpoint can exploit this vulnerability to disrupt service availability.


Technical Analysis 

The OpenTelemetry plugin (opentelemetry_prot.c) processes incoming HTTP requests containing telemetry data. When a request specifies Content-Length: 0, the plugin fails to validate the absence of a payload. This results in a NULL pointer being passed to cfl_sds_len, a function that calculates the length of a string buffer. Since cfl_sds_len assumes a valid cfl_sds struct pointer, dereferencing a NULL pointer triggers a segmentation fault, crashing the Fluent Bit service.


Vulnerable Code Path:

  1. An HTTP POST request with Content-Length: 0 is received.

  2. The plugin calls process_payload_traces_proto_ng to handle the payload.

  3. The payload pointer remains NULL due to zero content length.

  4. cfl_sds_len(NULL) attempts to access the len field of a non-existent struct, causing a crash.

Sample Attack Scenario

Step 1: Identify the Target
An attacker discovers a Fluent Bit instance (v3.1.9) with the OpenTelemetry plugin exposed on port 4318.

Step 2: Craft the Exploit
Using curl, the attacker sends a malformed request:

bash
Copy
curl -X POST -H "Content-Length: 0" http://target-ip:4318

Step 3: Trigger the Crash
The plugin processes the request, attempts to read a non-existent payload, and dereferences a NULL pointer. Fluent Bit crashes, logging an error such as:

Copy
[error] [input:opentelemetry:opentelemetry.0] Segmentation fault (core dumped)

Impact: The service becomes unavailable until manually restarted, disrupting log collection in environments like Kubernetes.


Mitigation Steps

  1. Upgrade Fluent Bit: Apply the patch released in versions >3.1.9.

  2. Network Hardening: Restrict access to the OpenTelemetry endpoint using firewalls or Kubernetes network policies.

  3. Input Validation: Modify the plugin to handle Content-Length: 0 gracefully (e.g., return an HTTP 400 error).


Code Fix Example

The patched code checks for a valid payload before processing:

c
Copy
// In opentelemetry_prot.c (process_payload_traces_proto_ng)
if (content_length == 0 || payload == NULL) {
    flb_plg_error(ctx->ins, "Empty payload");
    return -1;
}
size_t len = cfl_sds_len(payload); // Safe after validation


Conclusion

CVE-2024-50609 highlights the risks of improper input validation in data processing tools. Organizations using Fluent Bit should prioritize patching or implementing network controls to block exploitation.



CVE-2024-50608 – Fluent Bit Prometheus Remote Write Plugin Remote DoS Vulnerability


Overview

CVE-2024-50608 is a DoS vulnerability in Fluent Bit 3.1.9’s Prometheus Remote Write input plugin. Attackers can crash the service by sending a request with Content-Length: 0, exploiting a NULL pointer dereference in payload processing.

Technical Analysis

The Prometheus Remote Write plugin (prom_rw_prot.c) processes metrics data via HTTP. When a request with Content-Length: 0 is received, the plugin’s process_payload_metrics_ng function passes a NULL payload pointer to cfl_sds_len. This function, expecting a valid cfl_sds struct, crashes due to dereferencing NULL.

Vulnerable Code Path:

  1. A request with Content-Length: 0 bypasses payload checks.

  2. process_payload_metrics_ng attempts to parse a non-existent payload.

  3. cfl_sds_len(NULL) triggers a segmentation fault.


Sample Attack Scenario

Step 1: Locate the Exposed Endpoint
The attacker identifies a Fluent Bit instance with the Prometheus Remote Write plugin on port 8428.

Step 2: Exploit the Vulnerability
A minimal HTTP request is sent:

bash
Copy
curl -X POST -H "Content-Length: 0" http://target-ip:8428/api/v1/write

Step 3: Observe Service Crash
Fluent Bit crashes, disrupting metric collection. Logs indicate:

Copy
[error] [input:prometheus_remote_write:prom_rw.0] Invalid memory access

Impact: Metrics pipelines (e.g., Prometheus-to-Fluent Bit integrations) fail, affecting monitoring systems.


Mitigation Steps

  1. Patch Fluent Bit: Upgrade to a version >3.1.9.

  2. Network Controls: Limit exposure of the Prometheus Remote Write endpoint.

  3. Code Fix: Validate Content-Length and payload presence before processing.

Code Fix Example

The corrected code includes a check for empty payloads:

c
Copy
// In prom_rw_prot.c (process_payload_metrics_ng)
if (content_length == 0 || payload == NULL) {
    flb_plg_error(ctx->ins, "Empty payload received");
    return -1;
}
size_t len = cfl_sds_len(payload); // Proceed safely


Conclusion

CVE-2024-50608 underscores the importance of rigorous input validation in network-facing services. Immediate patching or network segmentation is advised to prevent exploitation.

Both vulnerabilities demonstrate how trivial input validation oversights can lead to critical service disruptions. Administrators should audit all Fluent Bit plugins for similar issues and enforce strict network access controls.



0 Comments

Hello, share your thoughts with us.