GHSA-fppq-mj76-fpj2

Source

https://github.com/advisories/GHSA-fppq-mj76-fpj2

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/11/GHSA-fppq-mj76-fpj2/GHSA-fppq-mj76-fpj2.json

Aliases

• BIT-fluentd-2022-39379
• CVE-2022-39379

Published

2022-11-02T18:15:35Z

Modified

2024-02-21T05:28:11.809766Z

Summary

fluentd vulnerable to remote code execution due to insecure deserialization (in non-default configuration)

Details

Impact

A remote code execution (RCE) vulnerability in non-default configurations of Fluentd allows unauthenticated attackers to execute arbitrary code via specially crafted JSON payloads.

Fluentd setups are only affected if the environment variable FLUENT_OJ_OPTION_MODE is explicitly set to object.

Please note: The option FLUENTOJOPTION_MODE was introduced in Fluentd version 1.13.2. Earlier versions of Fluentd are not affected by this vulnerability.

Patches

v1.15.3

Workarounds

Do not use FLUENT_OJ_OPTION_MODE=object.

References

• GHSL-2022-067

References

• https://github.com/fluent/fluentd/security/advisories/GHSA-fppq-mj76-fpj2
• https://nvd.nist.gov/vuln/detail/CVE-2022-39379
• https://github.com/fluent/fluentd/commit/48e5b85dab1b6d4c273090d538fc11b3f2fd8135
• https://github.com/fluent/fluentd
• https://github.com/rubysec/ruby-advisory-db/blob/master/gems/fluentd/CVE-2022-39379.yml
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MYD5QV66OLDHES6IKVYYM3Y3YID3VVCO