Vulnerabilities found in Fluent Bit Logging Tool API

Fluent Bit is one of the most important and widely-used open-source logging tools. It is speedy, lightweight and highly scalable, making it the preferred choice for modern, cloud-native environments.

In fact, sources have the number of FluentBit downloads between 3 and 13 billion - with a B - which makes it one of the most widely distributed pieces of software for logging and observability on Linux-based server systems. 

Many companies use Fluent Bit, or tools built on top of the underlying fluentd package, for tracking performance, observability and system events, and create metrics and monitoring alerts. However recently, a new vulnerability has come to light on the platform.

This week, Tenable Research revealed the vulnerability, which they found on a specific API endpoint. If exploited, this vulnerability could expose sensitive customer data.

Like most modern software packages, Fluent Bit ships with an API to expose various system functions that make it easy to integrate with Fluent Bit. On the vulnerable endpoint, a lack of request parameter specificity and sanitization means that malformed inputs can trigger unexpected behavior. 

Some examples of this, from Tenable Research, include:

… large integer values (or a negative value) can cause a crash due to a “wild copy” in a later call to memcpy() when it attempts to write to protect memory.

… negative values between 1 and 16 can cause heap overwrites of adjacent memory. These will later result in a similar “wild copy” situation due to conversions between int, size_t, and uint data types.

… integer values not large enough to crash can cause disclosure of adjacent memory to the client making the request.

… a value of “-17” will cause a crash due to a null pointer dereference after a failed malloc() of zero later in the code.

… smaller and more targeted integer values can trigger a variety of stack corruption and other memory corruption issues, such as corrupted chunks and broken links in the heap management mechanisms.

Modern software such as MOVEit, FortiSIEM and others that ship with APIs makes any user of that software an API provider, by definition. This means that, whether you intended it or not, your organization now runs APIs. Therefore, your organization may now need to have API security controls in place to manage the associated risk and stay vigilant.

A good place to start is by ensuring your information security team knows about all the exposed APIs and conducts security assessments of those APIs in place. Visibility is the most important part of any API security procedure- if you can’t see it, you can’t secure it. And oftentimes, these APIs slip under the rug and are left exposed and accessible to bad actors.

When using tools like Fluent Bit, developers need to be aware of the associated API risks. It is important to understand your API landscape no matter what software and logging tools you use. FireTail can help you get a comprehensive view into all your API endpoints in order to track and secure them. To see how it works, schedule a free 30-minute demo with FireTail today.

Authors note: As with other 3rd party software publisher APIs in the supply chain, we have not included this in our API data breach tracker. As we continue to see more events of this type, we may revisit this and add it to the scope of the tracker.