CVE-2022-39379 (fluentd): fluentd vulnerable to remote code execution due to insecure deserialization (in non-default configuration)

ADVISORIES

CVE-2022-39379 (NVD)
GHSA-fppq-mj76-fpj2
Vendor Advisory

GEM

fluentd

SEVERITY

CVSS v3.x: 3.1 (Low)

UNAFFECTED VERSIONS

< 1.13.2

PATCHED VERSIONS

>= 1.15.3

DESCRIPTION

Impact

A remote code execution (RCE) vulnerability in non-default configurations of Fluentd allows unauthenticated attackers to execute arbitrary code via specially crafted JSON payloads.

Fluentd setups are only affected if the environment variable FLUENT_OJ_OPTION_MODE is explicitly set to object.

Please note: The option FLUENT_OJ_OPTION_MODE was introduced in Fluentd version 1.13.2. Earlier versions of Fluentd are not affected by this vulnerability.

Patches

v1.15.3

Workarounds

Do not use FLUENT_OJ_OPTION_MODE=object.

References

GHSL-2022-067

https://securitylab.github.com/advisories/GHSL-2022-067_fluentd/
https://github.com/fluent/fluentd/commit/48e5b85dab1b6d4c273090d538fc11b3f2fd8135

RubySec