CVE-2022-39379 : Fluentd collects events from various data sources and writes them to files, RDBM

Fluentd collects events from various data sources and writes them to files, RDBMS, NoSQL, IaaS, SaaS, Hadoop and so on. A remote code execution (RCE) vulnerability in non-default configurations of Fluentd allows unauthenticated attackers to execute arbitrary code via specially crafted JSON payloads. Fluentd setups are only affected if the environment variable `FLUENT_OJ_OPTION_MODE` is explicitly set to `object`. Please note: The option FLUENT_OJ_OPTION_MODE was introduced in Fluentd version 1.13.2. Earlier versions of Fluentd are not affected by this vulnerability. This issue was patched in version 1.15.3. As a workaround do not use `FLUENT_OJ_OPTION_MODE=object`.

Published 2022-11-02 13:15:14

Updated 2023-03-01 16:36:34

Source GitHub, Inc.

View at NVD, CVE.org

Vulnerability category: Execute code

Products affected by CVE-2022-39379

Fedoraproject » Fedora » Version: 37
cpe:2.3:o:fedoraproject:fedora:37:*:*:*:*:*:*:*
Matching versions
Fluentd » Fluentd
Versions from including (>=) 1.13.2 and before (<) 1.15.3
cpe:2.3:a:fluentd:fluentd:*:*:*:*:*:*:*:*
Matching versions

Exploit prediction scoring system (EPSS) score for CVE-2022-39379

EPSS FAQ

8.87%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 92 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2022-39379

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
9.8	CRITICAL	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H	3.9	5.9	NIST
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: None Scope: Unchanged Confidentiality: High Integrity: High Availability: High
3.1	LOW	CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N	1.6	1.4	GitHub, Inc.
Attack Vector: Network Attack Complexity: High Privileges Required: Low User Interaction: None Scope: Unchanged Confidentiality: Low Integrity: None Availability: None

CWE ids for CVE-2022-39379

CWE-502 Deserialization of Untrusted Data

The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.
Assigned by:
- nvd@nist.gov (Secondary)
- security-advisories@github.com (Primary)

References for CVE-2022-39379

https://github.com/fluent/fluentd/security/advisories/GHSA-fppq-mj76-fpj2

Remote code execution due to insecure deserialization (in non-default configuration) · Advisory · fluent/fluentd · GitHub
Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MYD5QV66OLDHES6IKVYYM3Y3YID3VVCO/

[SECURITY] Fedora 37 Update: golang-github-graylog2-gelf-2.0.0-6.20201111git1550ee6.fc37 - package-announce - Fedora Mailing-Lists
Mailing List;Third Party Advisory
https://github.com/fluent/fluentd/commit/48e5b85dab1b6d4c273090d538fc11b3f2fd8135

Remove `object` from the available list of `FLUENT_OJ_OPTION_MODE` · fluent/fluentd@48e5b85 · GitHub
Patch;Third Party Advisory

Jump to

Vulnerability Details : CVE-2022-39379

Products affected by CVE-2022-39379

Exploit prediction scoring system (EPSS) score for CVE-2022-39379

CVSS scores for CVE-2022-39379

CWE ids for CVE-2022-39379

References for CVE-2022-39379