Cyber Resilience

CVE-2022-39379

Low

Published: 02 November 2022

Published
02 November 2022
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 3.1 CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N
EPSS Score 0.0600 90.9th percentile
Risk Priority 10 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2022-39379 is a low-severity Deserialization of Untrusted Data (CWE-502) vulnerability in Fluentd Fluentd. Its CVSS base score is 3.1 (Low).

Operationally, ranked in the top 9.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

Fluentd is an open-source data collector that aggregates events from multiple sources and forwards them to various storage and analytics backends. CVE-2022-39379 is a remote code execution vulnerability that stems from unsafe deserialization (CWE-502) of JSON payloads when the non-default environment variable FLUENT_OJ_OPTION_MODE is explicitly set to “object.” The flaw was introduced in version 1.13.2; earlier releases are unaffected. It received a CVSS 3.1 base score of 3.1, reflecting the high attack complexity and limited impact under the affected configuration.

An attacker who can supply a crafted JSON payload to an affected Fluentd instance can trigger arbitrary code execution. The vulnerability is exploitable over the network without authentication when the environment variable is present, although the CVSS vector notes low privileges are required. Successful exploitation grants the attacker the ability to run code within the Fluentd process context, potentially leading to further compromise of the host or downstream data pipelines.

The official GitHub Security Advisory GHSA-fppq-mj76-fpj2 and accompanying commit 48e5b85 recommend upgrading to Fluentd 1.15.3 or later. As a workaround, administrators are advised to avoid setting FLUENT_OJ_OPTION_MODE=object. The EPSS score has remained low, with a current value of 0.0600 and a peak of 0.0774, indicating limited observed exploitation interest since disclosure.

EU & UK References

Vulnerability details

Fluentd collects events from various data sources and writes them to files, RDBMS, NoSQL, IaaS, SaaS, Hadoop and so on. A remote code execution (RCE) vulnerability in non-default configurations of Fluentd allows unauthenticated attackers to execute arbitrary code via specially…

more

crafted JSON payloads. Fluentd setups are only affected if the environment variable `FLUENT_OJ_OPTION_MODE` is explicitly set to `object`. Please note: The option FLUENT_OJ_OPTION_MODE was introduced in Fluentd version 1.13.2. Earlier versions of Fluentd are not affected by this vulnerability. This issue was patched in version 1.15.3. As a workaround do not use `FLUENT_OJ_OPTION_MODE=object`.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

fluentd
fluentd
1.13.2 — 1.15.3
fedoraproject
fedora
37

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-502

Penetration testing supplies malicious serialized objects, detecting unsafe deserialization and supporting corrective actions.

addresses: CWE-502

Evaluation of untrusted data handling (deserialization testing) reveals unsafe processing, which the required remediation process addresses.

addresses: CWE-502

Untrusted serialized data can be deserialized and observed inside the chamber, blocking gadget-chain exploitation outside the sandbox.

addresses: CWE-502

Validates or rejects untrusted serialized data before deserialization occurs.

addresses: CWE-502

Identifies and blocks malicious code introduced through deserialization of untrusted data at system boundaries.

addresses: CWE-502

Integrity verification of serialized information can detect tampering before deserialization occurs.

addresses: CWE-502

Provenance of associated data allows detection of untrusted sources before deserialization or processing occurs.

References