879181 – (CVE-2022-39379) app-admin/fluentd: remote code execution via crafted JSON payloads

Bug 879181 (CVE-2022-39379) - app-admin/fluentd: remote code execution via crafted JSON payloads

Summary: app-admin/fluentd: remote code execution via crafted JSON payloads

Status:	CONFIRMED

Alias:	CVE-2022-39379

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal major (vote)
Assignee:	Gentoo Security

URL:	https://github.com/fluent/fluentd/sec...
Whiteboard:	C1 [ebuild]
Keywords:

Depends on:
Blocks:

Reported:	2022-11-02 14:57 UTC by John Helmert III
Modified:	2022-11-02 14:57 UTC (History)
CC List:	2 users (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description John Helmert III archtester

2022-11-02 14:57:27 UTC

CVE-2022-39379:

Fluentd collects events from various data sources and writes them to files, RDBMS, NoSQL, IaaS, SaaS, Hadoop and so on. A remote code execution (RCE) vulnerability in non-default configurations of Fluentd allows unauthenticated attackers to execute arbitrary code via specially crafted JSON payloads. Fluentd setups are only affected if the environment variable `FLUENT_OJ_OPTION_MODE` is explicitly set to `object`. Please note: The option FLUENT_OJ_OPTION_MODE was introduced in Fluentd version 1.13.2. Earlier versions of Fluentd are not affected by this vulnerability. This issue was patched in version 1.15.3. As a workaround do not use `FLUENT_OJ_OPTION_MODE=object`.

Please bump to 1.15.3.