CVE-2022-39379

2022-11-0213:15:13

Google

osv.dev

fluentd

rce vulnerability

unauthenticated code execution

json payloads

environment variable

object mode

patch

version 1.13.2

version 1.15.3

workaround

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

0.024 Low

EPSS

Percentile

90.1%

JSON

Fluentd collects events from various data sources and writes them to files, RDBMS, NoSQL, IaaS, SaaS, Hadoop and so on. A remote code execution (RCE) vulnerability in non-default configurations of Fluentd allows unauthenticated attackers to execute arbitrary code via specially crafted JSON payloads. Fluentd setups are only affected if the environment variable FLUENT_OJ_OPTION_MODE is explicitly set to object. Please note: The option FLUENT_OJ_OPTION_MODE was introduced in Fluentd version 1.13.2. Earlier versions of Fluentd are not affected by this vulnerability. This issue was patched in version 1.15.3. As a workaround do not use FLUENT_OJ_OPTION_MODE=object.

CPENameOperatorVersion
fluentdeq0.10.8
fluentdeq0.14.0.rc.2
fluentdeq0.14.2
fluentdeq0.9.4
fluentdeq1.9.2
fluentdeq0.14.8
fluentdeq1.12.0.rc1
fluentdeq1.0.1
fluentdeq1.0.2
fluentdeq0.10.19

Name	Operator	Version
fluentd	eq	0.10.8
fluentd	eq	0.14.0.rc.2
fluentd	eq	0.14.2
fluentd	eq	0.9.4
fluentd	eq	1.9.2
fluentd	eq	0.14.8
fluentd	eq	1.12.0.rc1
fluentd	eq	1.0.1
fluentd	eq	1.0.2
fluentd	eq	0.10.19