CVE-2024-50609

Name of the Vulnerable Software and Affected Versions Fluent Bit version 3.1.9

Description An issue was discovered in Fluent Bit when the OpenTelemetry input plugin is running and listening on an IP address and port. A user with access to the endpoint can send a packet with Content-Length: 0 and crash the server, allowing for a remote Denial of Service attack. The crash occurs due to a NULL pointer dereference when 0 (from the Content-Length) is passed to the function cfl sds len(), which tries to cast a NULL pointer into struct cfl sds. This is related to the process payload traces proto ng() function at opentelemetry prot.c.

Recommendations As a temporary workaround, consider disabling the OpenTelemetry input plugin until a patch is available. Restrict access to the vulnerable endpoint to minimize the risk of exploitation. Avoid sending packets with Content-Length: 0 to the affected server until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.