Impact
A remote code execution (RCE) vulnerability in non-default configurations of Fluentd allows unauthenticated attackers to execute arbitrary code via specially crafted JSON payloads.
Fluentd setups are only affected if the environment variable FLUENT_OJ_OPTION_MODE is explicitly set to object.
Please note: The option FLUENT_OJ_OPTION_MODE was introduced in Fluentd version 1.13.2. Earlier versions of Fluentd are not affected by this vulnerability.
Patches
v1.15.3
Workarounds
Do not use FLUENT_OJ_OPTION_MODE=object.
References
- GHSL-2022-067
References
- https://github.com/fluent/fluentd/security/advisories/GHSA-fppq-mj76-fpj2
- https://github.com/fluent/fluentd/commit/48e5b85dab1b6d4c273090d538fc11b3f2fd8135
- https://nvd.nist.gov/vuln/detail/CVE-2022-39379
- https://github.com/rubysec/ruby-advisory-db/blob/master/gems/fluentd/CVE-2022-39379.yml
- https://github.com/advisories/GHSA-fppq-mj76-fpj2