GHSA-hwhf-64mh-r662

Suggest an improvement
Source
https://github.com/advisories/GHSA-hwhf-64mh-r662
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/11/GHSA-hwhf-64mh-r662/GHSA-hwhf-64mh-r662.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-hwhf-64mh-r662
Aliases
Published
2021-11-01T19:16:31Z
Modified
2023-12-06T01:01:33.325970Z
Severity
  • 5.9 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
Summary
ReDoS vulnerability in parser_apache2
Details

Impact

parser_apache2 plugin in Fluentd v0.14.14 to v1.14.1 suffers from a regular expression denial of service (ReDoS) vulnerability. A broken apache log with a certain pattern of string can spend too much time in a regular expression, resulting in the potential for a DoS attack.

Patches

v1.14.2

Workarounds

Either of the following:

  • Don't use parser_apache2 for parsing logs which cannot guarantee generated by Apache.
  • Put patched version of parser_apache2.rb into /etc/fluent/plugin directory (or any other directories specified by the environment variable FLUENT_PLUGIN or --plugin option of fluentd).

References

References

Affected packages

RubyGems / fluentd

Package

Name
fluentd
Purl
pkg:gem/fluentd

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0.14.14
Fixed
1.14.2

Affected versions

0.*

0.14.14
0.14.15
0.14.16
0.14.17
0.14.18
0.14.19
0.14.20.rc1
0.14.20
0.14.21
0.14.22.rc1
0.14.22.rc2
0.14.22
0.14.23.rc1
0.14.23
0.14.24
0.14.25

1.*

1.0.0.rc1
1.0.0
1.0.1
1.0.2
1.1.0
1.1.1
1.1.2
1.1.3
1.2.0.pre1
1.2.0
1.2.1
1.2.2
1.2.3
1.2.4.rc1
1.2.4
1.2.5.rc1
1.2.5
1.2.6
1.3.0
1.3.1
1.3.2
1.3.3
1.4.0
1.4.1
1.4.2
1.5.0.rc1
1.5.0
1.5.1
1.5.2
1.6.0
1.6.1
1.6.2
1.6.3
1.7.0.rc1
1.7.0
1.7.1
1.7.2
1.7.3
1.7.4
1.8.0.rc1
1.8.0.rc2
1.8.0.rc3
1.8.0
1.8.1
1.9.0.rc1
1.9.0.rc2
1.9.0
1.9.1
1.9.2
1.9.3
1.10.0
1.10.1
1.10.2
1.10.3
1.10.4
1.11.0
1.11.1
1.11.2
1.11.3
1.11.4
1.11.5
1.12.0.rc1
1.12.0.rc2
1.12.0
1.12.1
1.12.2
1.12.3
1.12.4
1.13.0
1.13.1
1.13.2
1.13.3
1.14.0.rc
1.14.0
1.14.1