Ashie

**Name of the Vulnerable Software and Affected Versions** Fluentd versions 1.13.2 through 1.15.2 **Description** A remote code execution vulnerability in non-default configurations of Fluentd allows unauthenticated attackers to execute arbitrary code via specially crafted JSON payloads. This issue affects Fluentd setups where the environment variable `FLUENT OJ OPTION MODE` is explicitly set to `object`. The option `FLUENT OJ OPTION MODE` was introduced in Fluentd version 1.13.2, and earlier versions are not affected. **Recommendations** For Fluentd versions 1.13.2 through 1.15.2, update to version 1.15.3 to resolve the issue. As a temporary workaround for affected versions, do not use `FLUENT OJ OPTION MODE=object`.

**Name of the Vulnerable Software and Affected Versions** Fluentd versions 0.14.14 through 1.14.1 **Description** The parser apache2 plugin in Fluentd suffers from a regular expression denial of service (ReDoS) vulnerability. A broken apache log with a certain pattern of string can spend too much time in a regular expression, resulting in the potential for a DoS attack. **Recommendations** For versions 0.14.14 through 1.14.1, either do not use the parser apache2 for parsing logs or put a patched version of parser apache2.rb into the /etc/fluent/plugin directory (or any other directories specified by the environment variable `FLUENT PLUGIN` or the `--plugin` option of fluentd). For version 1.14.2 and later, no action is required as this issue is patched.