fluentd 1.7.0.rc1

2 security vulnerabilities found in version 1.7.0.rc1

Fluent Fluentd and Fluent-ui use default password

high severity CVE-2020-21514
high severity CVE-2020-21514
Affected versions: <= 1.8.0

An issue was discovered in Fluent Fluentd v.1.8.0 and Fluent-ui v.1.2.2 that allows attackers to gain escilated privileges and execute arbitrary code due to use of a default password.

ReDoS vulnerability in parser_apache2

medium severity CVE-2021-41186
medium severity CVE-2021-41186
Patched versions: >= 1.14.2
Unaffected versions: < 0.14.14

Impact

parser_apache2 plugin in Fluentd v0.14.14 to v1.14.1 suffers from a regular expression denial of service (ReDoS) vulnerability. A broken apache log with a certain pattern of string can spend too much time in a regular expression, resulting in the potential for a DoS attack.

Patches

v1.14.2

Workarounds

Either of the following:

  • Don't use parser_apache2 for parsing logs which cannot guarantee generated by Apache.
  • Put patched version of parser_apache2.rb into /etc/fluent/plugin directory (or any other directories specified by the environment variable FLUENT_PLUGIN or --plugin option of fluentd).

No officially reported memory leakage issues detected.


This gem version does not have any officially reported memory leaked issues.

No license issues detected.


This gem version has a license in the gemspec.

This gem version is available.


This gem version has not been yanked and is still available for usage.