CVE-2022-39379 - OpenCVE

Fluentd collects events from various data sources and writes them to files, RDBMS, NoSQL, IaaS, SaaS, Hadoop and so on. A remote code execution (RCE) vulnerability in non-default configurations of Fluentd allows unauthenticated attackers to execute arbitrary code via specially crafted JSON payloads. Fluentd setups are only affected if the environment variable `FLUENT_OJ_OPTION_MODE` is explicitly set to `object`. Please note: The option FLUENT_OJ_OPTION_MODE was introduced in Fluentd version 1.13.2. Earlier versions of Fluentd are not affected by this vulnerability. This issue was patched in version 1.15.3. As a workaround do not use `FLUENT_OJ_OPTION_MODE=object`.

No CVSS v4.0

Attack Vector Network

Attack Complexity High

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Fedoraproject	Fedora
Fluentd	Fluentd

Configuration 1 [-]

cpe:2.3:a:fluentd:fluentd:*:*:*:*:*:*:*:*

Configuration 2 [-]

cpe:2.3:o:fedoraproject:fedora:37:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://github.com/fluent/fluentd/commit/48e5b85dab1b6d4c273090d538fc11b3f2fd8135
https://github.com/fluent/fluentd/security/advisories/GHSA-fppq-mj76-fpj2
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MYD5QV66OLDHES6IKVYYM3Y3YID3VVCO/
https://nvd.nist.gov/vuln/detail/CVE-2022-39379
https://www.cve.org/CVERecord?id=CVE-2022-39379

History

No history.

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2022-11-02T00:00:00

Updated: 2024-08-03T12:00:44.172Z

Reserved: 2022-09-02T00:00:00

Link: CVE-2022-39379

Vulnrichment

No data.

NVD

Status : Modified

Published: 2022-11-02T13:15:13.583

Modified: 2023-11-07T03:50:28.803

Link: CVE-2022-39379

Redhat

Severity : Moderate

Publid Date: 2022-11-02T00:00:00Z

Links: CVE-2022-39379 - Bugzilla

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2022-39379", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "assignerShortName": "GitHub_M", "dateUpdated": "2024-08-03T12:00:44.172Z", "dateReserved": "2022-09-02T00:00:00", "datePublished": "2022-11-02T00:00:00"}, "containers": {"cna": {"title": "Fluentd vulnerable to remote code execution due to insecure deserialization (in non-default configuration)", "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2023-01-11T00:00:00"}, "descriptions": [{"lang": "en", "value": "Fluentd collects events from various data sources and writes them to files, RDBMS, NoSQL, IaaS, SaaS, Hadoop and so on. A remote code execution (RCE) vulnerability in non-default configurations of Fluentd allows unauthenticated attackers to execute arbitrary code via specially crafted JSON payloads. Fluentd setups are only affected if the environment variable `FLUENT_OJ_OPTION_MODE` is explicitly set to `object`. Please note: The option FLUENT_OJ_OPTION_MODE was introduced in Fluentd version 1.13.2. Earlier versions of Fluentd are not affected by this vulnerability. This issue was patched in version 1.15.3. As a workaround do not use `FLUENT_OJ_OPTION_MODE=object`."}], "affected": [{"vendor": "fluent", "product": "fluentd", "versions": [{"version": ">= 1.13.2, < 1.15.3", "status": "affected"}]}], "references": [{"url": "https://github.com/fluent/fluentd/security/advisories/GHSA-fppq-mj76-fpj2"}, {"url": "https://github.com/fluent/fluentd/commit/48e5b85dab1b6d4c273090d538fc11b3f2fd8135"}, {"name": "FEDORA-2023-6b9e2a6534", "tags": ["vendor-advisory"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MYD5QV66OLDHES6IKVYYM3Y3YID3VVCO/"}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE", "baseScore": 3.1, "baseSeverity": "LOW"}}], "problemTypes": [{"descriptions": [{"type": "CWE", "lang": "en", "description": "CWE-502: Deserialization of Untrusted Data", "cweId": "CWE-502"}]}], "source": {"advisory": "GHSA-fppq-mj76-fpj2", "discovery": "UNKNOWN"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T12:00:44.172Z"}, "title": "CVE Program Container", "references": [{"url": "https://github.com/fluent/fluentd/security/advisories/GHSA-fppq-mj76-fpj2", "tags": ["x_transferred"]}, {"url": "https://github.com/fluent/fluentd/commit/48e5b85dab1b6d4c273090d538fc11b3f2fd8135", "tags": ["x_transferred"]}, {"name": "FEDORA-2023-6b9e2a6534", "tags": ["vendor-advisory", "x_transferred"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MYD5QV66OLDHES6IKVYYM3Y3YID3VVCO/"}]}]}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:fluentd:fluentd:*:*:*:*:*:*:*:*", "matchCriteriaId": "242E386A-FF76-40A5-908E-A4D7C13D7DD7", "versionEndExcluding": "1.15.3", "versionStartIncluding": "1.13.2", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:fedoraproject:fedora:37:*:*:*:*:*:*:*", "matchCriteriaId": "E30D0E6F-4AE8-4284-8716-991DFA48CC5D", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Fluentd collects events from various data sources and writes them to files, RDBMS, NoSQL, IaaS, SaaS, Hadoop and so on. A remote code execution (RCE) vulnerability in non-default configurations of Fluentd allows unauthenticated attackers to execute arbitrary code via specially crafted JSON payloads. Fluentd setups are only affected if the environment variable `FLUENT_OJ_OPTION_MODE` is explicitly set to `object`. Please note: The option FLUENT_OJ_OPTION_MODE was introduced in Fluentd version 1.13.2. Earlier versions of Fluentd are not affected by this vulnerability. This issue was patched in version 1.15.3. As a workaround do not use `FLUENT_OJ_OPTION_MODE=object`."}, {"lang": "es", "value": "Fluentd recopila eventos de diversas fuentes de datos y los escribe en archivos, RDBMS, NoSQL, IaaS, SaaS, Hadoop, etc. Una vulnerabilidad de ejecuci\u00f3n remota de c\u00f3digo (RCE) en configuraciones no predeterminadas de Fluentd permite a atacantes no autenticados ejecutar c\u00f3digo arbitrario a trav\u00e9s de payloads JSON especialmente manipulados. Las configuraciones de Fluentd solo se ven afectadas si la variable de entorno `FLUENT_OJ_OPTION_MODE` se establece expl\u00edcitamente en `object`. Tenga en cuenta: la opci\u00f3n FLUENT_OJ_OPTION_MODE se introdujo en la versi\u00f3n 1.13.2 de Fluentd. Las versiones anteriores de Fluentd no se ven afectadas por esta vulnerabilidad. Este problema se solucion\u00f3 en la versi\u00f3n 1.15.3. Como workaround alternativo, no utilice `FLUENT_OJ_OPTION_MODE=object`."}], "id": "CVE-2022-39379", "lastModified": "2023-11-07T03:50:28.803", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 3.1, "baseSeverity": "LOW", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 1.6, "impactScore": 1.4, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2022-11-02T13:15:13.583", "references": [{"source": "security-advisories@github.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/fluent/fluentd/commit/48e5b85dab1b6d4c273090d538fc11b3f2fd8135"}, {"source": "security-advisories@github.com", "tags": ["Third Party Advisory"], "url": "https://github.com/fluent/fluentd/security/advisories/GHSA-fppq-mj76-fpj2"}, {"source": "security-advisories@github.com", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MYD5QV66OLDHES6IKVYYM3Y3YID3VVCO/"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-502"}], "source": "security-advisories@github.com", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-502"}], "source": "nvd@nist.gov", "type": "Secondary"}]}

{"bugzilla": {"description": "fluentd: remote code execution via crafted JSON payloads", "id": "2142460", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2142460"}, "csaw": false, "cvss3": {"cvss3_base_score": "8.1", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "status": "draft"}, "cwe": "CWE-502", "details": ["Fluentd collects events from various data sources and writes them to files, RDBMS, NoSQL, IaaS, SaaS, Hadoop and so on. A remote code execution (RCE) vulnerability in non-default configurations of Fluentd allows unauthenticated attackers to execute arbitrary code via specially crafted JSON payloads. Fluentd setups are only affected if the environment variable `FLUENT_OJ_OPTION_MODE` is explicitly set to `object`. Please note: The option FLUENT_OJ_OPTION_MODE was introduced in Fluentd version 1.13.2. Earlier versions of Fluentd are not affected by this vulnerability. This issue was patched in version 1.15.3. As a workaround do not use `FLUENT_OJ_OPTION_MODE=object`.", "A remote code execution (RCE) vulnerability was found in non-default configurations of Fluentd. This issue allows unauthenticated attackers to execute arbitrary code via specially crafted JSON payloads."], "name": "CVE-2022-39379", "package_state": [{"cpe": "cpe:/a:redhat:logging:5", "fix_state": "Not affected", "package_name": "openshift-logging/fluentd-rhel8", "product_name": "Logging Subsystem for Red Hat OpenShift"}, {"cpe": "cpe:/a:redhat:openshift:3.11", "fix_state": "Out of support scope", "package_name": "fluentd", "product_name": "Red Hat OpenShift Container Platform 3.11"}, {"cpe": "cpe:/a:redhat:openshift:3.11", "fix_state": "Out of support scope", "package_name": "openshift3/logging-fluentd", "product_name": "Red Hat OpenShift Container Platform 3.11"}, {"cpe": "cpe:/a:redhat:openshift:3.11", "fix_state": "Out of support scope", "package_name": "openshift3/ose-logging-fluentd", "product_name": "Red Hat OpenShift Container Platform 3.11"}, {"cpe": "cpe:/a:redhat:openstack:13", "fix_state": "Out of support scope", "package_name": "puppet-fluentd", "product_name": "Red Hat OpenStack Platform 13 (Queens)"}, {"cpe": "cpe:/a:redhat:openstack:13", "fix_state": "Out of support scope", "package_name": "rhosp13/openstack-fluentd", "product_name": "Red Hat OpenStack Platform 13 (Queens)"}], "public_date": "2022-11-02T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2022-39379\nhttps://nvd.nist.gov/vuln/detail/CVE-2022-39379\nhttps://github.com/fluent/fluentd/security/advisories/GHSA-fppq-mj76-fpj2"], "statement": "The Fluentd setups are only affected if the environment variable FLUENT_OJ_OPTION_MODE is explicitly set to object, which is a non-default configuration. Hence, this CVE is categorized as Moderate impact.", "threat_severity": "Moderate", "upstream_fix": "fluentd 1.15.3"}