Are We About to See Another Log4j?
This one is called LINGUISTIC LUMBERJACK.
Fluent Bit is a very widely used open source logging package in the cloud. It is used by all major cloud providers.
It has been downloaded over 3 billion times just in 2022.
Fluent Bit is described as “a lightweight, open-source data collector and processor” which collecting and processing logs from various applications and systems.
Tenable Research discovered the flaw, which they named Linguistic Lumberjack, and said that they could access metrics and logging endpoints within cloud services, potentially leading to information leaking between clients.
There are three flavors of damage this vulnerability could cause:
- Denial of Service
- Information Disclosure
- Remote Code Execution
Tenable says that an attacker could also crash the Fluent Bit service stopping it from processing logs.
They can also access any sensitive data that might be in a log file like PII or passwords.
In the worst case scenario, the attacker could inject malicious code, steal data or even control the cloud environment.
At least the fix came quickly. The issue was reported to the volunteers who maintain the code on April 30th. The fixes were released two weeks later on May 15th – just a few days ago.
Tenable notified Microsoft, Amazon and Google of the vulnerability in their environments on the same day the fix was released – May 15th.
We are just learning about this. At least as of today, we don’t know how widespread this problem is going to be. Will the Amazon’s of the world be able to mitigate or will package developers need to release new packages also. Or, is this going to be another Log4j – something we are still dealing with years later.
Definitely time to do some research.
Credit: HackRead