Fluent Bit Prometheus Remote Write Input Plugin Denial-of-Service Vulnerability

A denial-of-service vulnerability has been identified in Fluent Bit version 3.1.9, specifically within the Prometheus Remote Write input plugin. When this plugin is active and receiving data, it improperly handles packets with a Content-Length of zero. This oversight leads to a server crash, as the application attempts to dereference a null pointer, causing a segmentation fault. The vulnerability allows remote users with access to the endpoint to disrupt the service.

Impact

Exploitation of this vulnerability causes a segmentation fault, crashing the Fluent Bit process and disrupting any logging or data processing activities.

Reproduction

To reproduce this vulnerability, send an HTTP POST request to the Prometheus Remote Write endpoint with the Content-Length header set to zero. This can be done using tools like curl or Burp Suite. The request will cause the Fluent Bit server to crash by triggering a null pointer dereference.

Remediation

Users can upgrade to Fluent Bit versions 4.0.2 or 4.0.3, both of which include a patch for this vulnerability.