820779 – (CVE-2021-41186) <app-admin/fluentd-1.14.4: ReDoS vulnerability (CVE-2021-41186)

Bug 820779 (CVE-2021-41186) - <app-admin/fluentd-1.14.4: ReDoS vulnerability (CVE-2021-41186)

Summary: <app-admin/fluentd-1.14.4: ReDoS vulnerability (CVE-2021-41186)

Status:	RESOLVED FIXED

Alias:	CVE-2021-41186

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal trivial (vote)
Assignee:	Gentoo Security

URL:	https://github.com/fluent/fluentd/sec...
Whiteboard:	~3 [noglsa]
Keywords:

Depends on:
Blocks:

Reported:	2021-10-29 23:06 UTC by John Helmert III
Modified:	2022-08-16 22:44 UTC (History)
CC List:	2 users (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description John Helmert III archtester

2021-10-29 23:06:18 UTC

CVE-2021-41186:

Fluentd collects events from various data sources and writes them to files to help unify logging infrastructure. The parser_apache2 plugin in Fluentd v0.14.14 to v1.14.1 suffers from a regular expression denial of service (ReDoS) vulnerability. A broken apache log with a certain pattern of string can spend too much time in a regular expression, resulting in the potential for a DoS attack. This issue is patched in version 1.14.2 There are two workarounds available. Either don't use parser_apache2 for parsing logs (which cannot guarantee generated by Apache), or put patched version of parser_apache2.rb into /etc/fluent/plugin directory (or any other directories specified by the environment variable `FLUENT_PLUGIN` or `--plugin` option of fluentd).


Please bump to 1.14.2.

Comment 1 Larry the Git Cow gentoo-dev

2022-01-21 15:39:43 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=36bbd3f3c31377163901a3139e90e75c0cb723eb

commit 36bbd3f3c31377163901a3139e90e75c0cb723eb
Author:     Jaco Kroon <jaco@uls.co.za>
AuthorDate: 2021-09-14 08:56:11 +0000
Commit:     William Hubbs <williamh@gentoo.org>
CommitDate: 2022-01-21 15:39:32 +0000

    app-admin/fluentd: 1.14.4 bump.
    
    Closes: https://bugs.gentoo.org/781197
    Closes: https://github.com/gentoo/gentoo/pull/22292
    Bug: https://bugs.gentoo.org/820779
    Signed-off-by: Jaco Kroon <jaco@uls.co.za>
    Signed-off-by: William Hubbs <williamh@gentoo.org>

 app-admin/fluentd/Manifest              |  1 +
 app-admin/fluentd/files/fluentd.initd   |  2 +-
 app-admin/fluentd/fluentd-1.14.4.ebuild | 62 +++++++++++++++++++++++++++++++++
 3 files changed, 64 insertions(+), 1 deletion(-)

Comment 2 John Helmert III archtester

2022-01-21 15:43:42 UTC

Thank you! Please cleanup

Comment 3 Larry the Git Cow gentoo-dev

2022-01-22 00:30:08 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=b0a43f560ea0dd7066add760b2d39d4e937fc0f6

commit b0a43f560ea0dd7066add760b2d39d4e937fc0f6
Author:     William Hubbs <williamh@gentoo.org>
AuthorDate: 2022-01-21 15:52:44 +0000
Commit:     William Hubbs <williamh@gentoo.org>
CommitDate: 2022-01-22 00:29:09 +0000

    app-admin/fluentd: remove vulnerable versions
    
    Bug: https://bugs.gentoo.org/820779
    Package-Manager: Portage-3.0.28, Repoman-3.0.3
    Signed-off-by: William Hubbs <williamh@gentoo.org>

 app-admin/fluentd/Manifest             |  2 --
 app-admin/fluentd/fluentd-1.4.2.ebuild | 61 ----------------------------------
 app-admin/fluentd/fluentd-1.9.0.ebuild | 61 ----------------------------------
 3 files changed, 124 deletions(-)

Comment 4 John Helmert III archtester

2022-08-16 22:44:31 UTC

Sorry, all done here!