A critical vulnerability exists in several Fluent Bit input plugins that fails to properly clean user-supplied data. An attacker can exploit this weakness by sending specially crafted data to inject malicious characters, which can lead to log data being corrupted, misrouted, or written to unauthorized locations on the file system, severely impacting data integrity and system security.

The in_http, in_splunk, and in_elasticsearch input plugins in Fluent Bit are vulnerable to improper input sanitization. Specifically, the tag_key parameter, which is used to create tags for routing logs, does not adequately sanitize special characters. An attacker with network access to these inputs can provide tag_key values containing characters like newlines (\n) or path traversal sequences (../), which are then processed as part of a valid tag. Since these tags are used by output plugins to determine routing, filenames, or even log content, this flaw can be exploited for newline injection in logs, path traversal to write files in arbitrary locations, injection of forged log records, and general misrouting of log data.

This vulnerability is rated as critical with a CVSS score of 9.1, posing a significant risk to the organization. Successful exploitation could lead to a severe loss of data integrity, making logs unreliable for security forensics, compliance auditing, and operational monitoring. An attacker could forge log entries to hide their activity or implicate others, or use path traversal to potentially overwrite critical system files or place malicious scripts in sensitive directories. Furthermore, the misrouting of logs could lead to a denial of service for monitoring systems or the exposure of sensitive information if logs are routed to an insecure or unintended destination.

Immediate Action:

• Immediately update all instances of Fluent Bit to the latest patched version as recommended by the vendor.
• After patching, review system and application logs for any signs of past exploitation attempts, focusing on logs related to the affected input plugins.

Proactive Monitoring:

• Inspect Fluent Bit and upstream device logs for incoming tag_key values that contain suspicious character sequences, such as ../, \n, %0a, or other encoded special characters.
• Monitor network traffic to the in_http, in_splunk, and in_elasticsearch listeners for anomalous request patterns.
• Implement file integrity monitoring (FIM) on log directories and critical system directories to detect unauthorized file creation or modification that could indicate a successful path traversal attack.

Compensating Controls:

• If immediate patching is not feasible, restrict network access to the vulnerable Fluent Bit input plugins to only trusted, whitelisted IP addresses.
• Place a Web Application Firewall (WAF) or a reverse proxy in front of the in_http plugin to inspect and sanitize incoming HTTP requests, specifically blocking requests with malicious characters in the tag_key.
• Run the Fluent Bit service with the lowest possible user privileges and enforce strict file system permissions to limit the impact of a potential path traversal exploit.

Public Exploit Available: false

Given the critical severity (CVSS 9.1) of this vulnerability and its direct impact on data integrity and log routing, it is imperative that organizations prioritize patching all affected Fluent Bit instances immediately. Although this CVE is not currently listed on the CISA KEV list, its high potential for impact makes it a prime candidate for future inclusion. If patching cannot be performed immediately, the compensating controls listed above, particularly network segmentation and input filtering, should be implemented as a matter of urgency to reduce the attack surface.