Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 879181 (CVE-2022-39379) - app-admin/fluentd: remote code execution via crafted JSON payloads
Summary: app-admin/fluentd: remote code execution via crafted JSON payloads
Status: CONFIRMED
Alias: CVE-2022-39379
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal major (vote)
Assignee: Gentoo Security
URL: https://github.com/fluent/fluentd/sec...
Whiteboard: C1 [ebuild]
Keywords:
Depends on:
Blocks:
 
Reported: 2022-11-02 14:57 UTC by John Helmert III
Modified: 2023-06-23 09:10 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-11-02 14:57:27 UTC
CVE-2022-39379:

Fluentd collects events from various data sources and writes them to files, RDBMS, NoSQL, IaaS, SaaS, Hadoop and so on. A remote code execution (RCE) vulnerability in non-default configurations of Fluentd allows unauthenticated attackers to execute arbitrary code via specially crafted JSON payloads. Fluentd setups are only affected if the environment variable `FLUENT_OJ_OPTION_MODE` is explicitly set to `object`. Please note: The option FLUENT_OJ_OPTION_MODE was introduced in Fluentd version 1.13.2. Earlier versions of Fluentd are not affected by this vulnerability. This issue was patched in version 1.15.3. As a workaround do not use `FLUENT_OJ_OPTION_MODE=object`.

Please bump to 1.15.3.
Comment 1 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2023-06-23 09:10:01 UTC
Ping!