Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 879181 (CVE-2022-39379) - app-admin/fluentd: remote code execution via crafted JSON payloads
Summary: app-admin/fluentd: remote code execution via crafted JSON payloads
Status: RESOLVED FIXED
Alias: CVE-2022-39379
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal major (vote)
Assignee: Gentoo Security
URL: https://github.com/fluent/fluentd/sec...
Whiteboard: ~1 [noglsa]
Keywords: PMASKED, PullRequest
Depends on:
Blocks:
 
Reported: 2022-11-02 14:57 UTC by John Helmert III
Modified: 2024-01-24 15:40 UTC (History)
4 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-11-02 14:57:27 UTC
CVE-2022-39379:

Fluentd collects events from various data sources and writes them to files, RDBMS, NoSQL, IaaS, SaaS, Hadoop and so on. A remote code execution (RCE) vulnerability in non-default configurations of Fluentd allows unauthenticated attackers to execute arbitrary code via specially crafted JSON payloads. Fluentd setups are only affected if the environment variable `FLUENT_OJ_OPTION_MODE` is explicitly set to `object`. Please note: The option FLUENT_OJ_OPTION_MODE was introduced in Fluentd version 1.13.2. Earlier versions of Fluentd are not affected by this vulnerability. This issue was patched in version 1.15.3. As a workaround do not use `FLUENT_OJ_OPTION_MODE=object`.

Please bump to 1.15.3.
Comment 1 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2023-06-23 09:10:01 UTC
Ping!
Comment 2 Hans de Graaff gentoo-dev Security 2023-10-22 08:24:23 UTC
I have updated fluentd to 1.14.6, EAPI 8, and ruby32. Unfortunately some tests fail, but this was already the case for 1.14.4. Hopefully this update will make it easier to add 1.15 or 1.16 to address this security issue.
Comment 3 Larry the Git Cow gentoo-dev 2023-12-31 10:46:17 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=be5fa907eede6ea6961249477a4cb6b19aa5c9d0

commit be5fa907eede6ea6961249477a4cb6b19aa5c9d0
Author:     Michał Górny <mgorny@gentoo.org>
AuthorDate: 2023-12-31 10:34:02 +0000
Commit:     Michał Górny <mgorny@gentoo.org>
CommitDate: 2023-12-31 10:46:12 +0000

    package.mask: Last rite app-admin/fluentd
    
    Bug: https://bugs.gentoo.org/879181
    Signed-off-by: Michał Górny <mgorny@gentoo.org>

 profiles/package.mask | 8 ++++++++
 1 file changed, 8 insertions(+)
Comment 4 Larry the Git Cow gentoo-dev 2024-01-10 15:50:39 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=ed3b9a199f7d32bff1d280dc5f10ef403d5d34cc

commit ed3b9a199f7d32bff1d280dc5f10ef403d5d34cc
Author:     Jaco Kroon <jaco@uls.co.za>
AuthorDate: 2023-12-04 14:03:52 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2024-01-10 15:49:43 +0000

    app-admin/fluentd: add 1.16.3
    
    Bug: https://bugs.gentoo.org/879181
    Signed-off-by: Jaco Kroon <jaco@uls.co.za>
    Closes: https://github.com/gentoo/gentoo/pull/34126
    Signed-off-by: Sam James <sam@gentoo.org>

 app-admin/fluentd/Manifest              |  1 +
 app-admin/fluentd/fluentd-1.16.3.ebuild | 70 +++++++++++++++++++++++++++++++++
 2 files changed, 71 insertions(+)
Comment 5 Jaco Kroon 2024-01-11 07:54:22 UTC
There is no current stable in-tree so we just remove <1.16?  There was a stable request for 1.14, which I think we should shelf for the time being.
Comment 6 Larry the Git Cow gentoo-dev 2024-01-20 13:33:47 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=e379896e502fca4405cbdd01d178212a6840b8bb

commit e379896e502fca4405cbdd01d178212a6840b8bb
Author:     Jaco Kroon <jaco@uls.co.za>
AuthorDate: 2024-01-11 14:59:33 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2024-01-20 13:30:14 +0000

    app-admin/fluentd: drop 1.14.4, 1.14.6
    
    Bug: https://bugs.gentoo.org/879181
    Signed-off-by: Jaco Kroon <jaco@uls.co.za>
    Closes: https://github.com/gentoo/gentoo/pull/34757
    Signed-off-by: Sam James <sam@gentoo.org>

 app-admin/fluentd/Manifest              |   2 -
 app-admin/fluentd/files/fluent.conf     | 139 --------------------------------
 app-admin/fluentd/fluentd-1.14.4.ebuild |  63 ---------------
 app-admin/fluentd/fluentd-1.14.6.ebuild |  63 ---------------
 4 files changed, 267 deletions(-)
Comment 7 Hans de Graaff gentoo-dev Security 2024-01-24 15:40:13 UTC
(In reply to Jaco Kroon from comment #5)
> There is no current stable in-tree so we just remove <1.16?  There was a
> stable request for 1.14, which I think we should shelf for the time being.

Looks like there never was a stable version. I've updated the whiteboard accordingly and that means we're all done here. Thanks!