Skip to content

Commit

Permalink
Merge pull request from GHSA-5rjf-prwh-pp7q
Browse files Browse the repository at this point in the history 
* api/v1/traces: validate inputs when enabling traces.

validate the array of inputs when enabling multiple traces that
they are strings.

this patch also refactors out the allocation of said input name.

Signed-off-by: Phillip Adair Stewart Whelan <phillip.whelan@chronosphere.io>

* api/v1/traces: disable traces api when tracing is disabled.

Signed-off-by: Phillip Adair Stewart Whelan <phillip.whelan@chronosphere.io>

* api/v1/trace: use macros for strings and lengths in responses.

avoid strlen when creating http response, especially in loops,
by predefining them via macros.

Signed-off-by: Phillip Whelan <phil@calyptia.com>

* api/v1/trace: use sizeof for string length macros.

Signed-off-by: Phillip Whelan <phil@calyptia.com>

* api/v1/trace: use signed lenghts for strings.

this avoid potential integer overflows when using them as
specifiers for format strings.

Signed-off-by: Phillip Whelan <phil@calyptia.com>

* api/v1/traces: use macro for inputs string.

Signed-off-by: Phillip Whelan <phil@calyptia.com>

* api/v1/traces: use sizeof when comparing against base path.

Signed-off-by: Phillip Whelan <phil@calyptia.com>

* api/v1/traces: replace strlen with flb_sds_len when using flb_sds_t.

Signed-off-by: Phillip Whelan <phil@calyptia.com>

---------

Signed-off-by: Phillip Adair Stewart Whelan <phillip.whelan@chronosphere.io>
Signed-off-by: Phillip Whelan <phil@calyptia.com>
  • Loading branch information
@pwhelan
pwhelan committed May 15, 2024
1 parent 1252ffa commit 9311b43
Showing 1 changed file with 135 additions and 84 deletions.

1 comment on commit 9311b43

@luis261
Copy link

@luis261 luis261 commented on 9311b43 May 22, 2024
edited

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@pwhelan at cursory glance, it seems to me that previous to this commit (which fixes CVE-2024-4323), disabling the trace API endpoint(s) in the config did not actually result in the affected endpoint being disabled.

9311b43#diff-a944a60850c06cb44a5fe5452b5f771cb40f2a1403b209e12eb15317dd0f679fR661

Signed-off-by: Phillip Adair Stewart Whelan phillip.whelan@chronosphere.io

  • api/v1/traces: disable traces api when tracing is disabled.

Is my understanding correct? If so, this would be problematic, since some advisories making the rounds1 2 3 4 mention disabling the tracing API as a temporary workaround until a patch for CVE-2024-4323 is deployed.

Footnotes

  1. "disable the vulnerable API endpoint if it's not being used to prevent potential attacks and remove the attack surface": https://www.bleepingcomputer.com/news/security/critical-fluent-bit-flaw-impacts-all-major-cloud-providers/

  2. https://www.securityweek.com/vulnerability-found-in-fluent-bit-utility-used-by-major-cloud-tech-companies/

  3. https://www.theregister.com/2024/05/21/fluent_bit_flaw/

  4. https://www.tenable.com/blog/linguistic-lumberjack-attacking-cloud-services-via-logging-endpoints-fluent-bit-cve-2024-4323

Please sign in to comment.