GHSA-hwhf-64mh-r662

Source

https://github.com/advisories/GHSA-hwhf-64mh-r662

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/11/GHSA-hwhf-64mh-r662/GHSA-hwhf-64mh-r662.json

Aliases

Published

2021-11-01T19:16:31Z

Modified

2023-12-06T01:01:33.325970Z

Details

Impact

parser_apache2 plugin in Fluentd v0.14.14 to v1.14.1 suffers from a regular expression denial of service (ReDoS) vulnerability. A broken apache log with a certain pattern of string can spend too much time in a regular expression, resulting in the potential for a DoS attack.

Patches

v1.14.2

Workarounds

Either of the following:

Don't use parser_apache2 for parsing logs which cannot guarantee generated by Apache.
Put patched version of parser_apache2.rb into /etc/fluent/plugin directory (or any other directories specified by the environment variable FLUENT_PLUGIN or --plugin option of fluentd).

References

CVE-2021-41186
GHSA-hwhf-64mh-r662
GHSL-2021-102
https://github.com/fluent/fluentd/blob/master/CHANGELOG.md#v1142

References

Affected packages

RubyGems / fluentd

Package

Name: fluentd

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0.14.14

Fixed

1.14.2

Affected versions

0.*

0.14.14

0.14.15

0.14.16

0.14.17

0.14.18

0.14.19

0.14.20.rc1

0.14.20

0.14.21

0.14.22.rc1

0.14.22.rc2

0.14.22

0.14.23.rc1

0.14.23

0.14.24

0.14.25

1.*

1.0.0.rc1

1.0.0

1.0.1

1.0.2

1.1.0

1.1.1

1.1.2

1.1.3

1.2.0.pre1

1.2.0

1.2.1

1.2.2

1.2.3

1.2.4.rc1

1.2.4

1.2.5.rc1

1.2.5

1.2.6

1.3.0

1.3.1

1.3.2

1.3.3

1.4.0

1.4.1

1.4.2

1.5.0.rc1

1.5.0

1.5.1

1.5.2

1.6.0

1.6.1

1.6.2

1.6.3

1.7.0.rc1

1.7.0

1.7.1

1.7.2

1.7.3

1.7.4

1.8.0.rc1

1.8.0.rc2

1.8.0.rc3

1.8.0

1.8.1

1.9.0.rc1

1.9.0.rc2

1.9.0

1.9.1

1.9.2

1.9.3

1.10.0

1.10.1

1.10.2

1.10.3

1.10.4

1.11.0

1.11.1

1.11.2

1.11.3

1.11.4

1.11.5

1.12.0.rc1

1.12.0.rc2

1.12.0

1.12.1

1.12.2

1.12.3

1.12.4

1.13.0

1.13.1

1.13.2

1.13.3

1.14.0.rc

1.14.0

1.14.1