[Japanese]

JVNDB-2017-010280

Fluentd vulenrable to escape sequence injection

Overview

Fluentd provided by Cloud Native Computing Foundation (CNCF) contains an escape sequence injection vulnerability.

Fluentd is an open source data collector provided by Cloud Native Computing Foundation (CNCF). The parse Filter Plugin for Fluentd contains an escape sequence injection vulnerability (CWE-150) due to a flaw in processing logs.

Teppei Fukuda reported this vulnerability to JPCERT/CC.
JPCERT/CC coordinated with the developer.
CVSS Severity (What is CVSS?)

Base Metrics: 5.0 (Medium) [IPA Score]
  • Access Vector: Network
  • Access Complexity: Low
  • Authentication: None
  • Confidentiality Impact: None
  • Integrity Impact: Partial
  • Availability Impact: None

CVSS V3 Severity:
Base Metrics: 5.3 (Medium) [IPA Score]
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
  • Confidentiality Impact: None
  • Integrity Impact: Low
  • Availability Impact: None
Affected Products


Cloud Native Computing Foundation (CNCF)
  • Fluentd version 0.12.29 through 0.12.40

Impact

Processing a specially crafted log may change the terminal UI or possibly execute arbitrary command on the device collecting logs.
Solution

[Update the Software]
Update to the latest version according to the information provided by the developer.
Vendor Information

Cloud Native Computing Foundation (CNCF)
CWE (What is CWE?)

  1. Improper Neutralization of Escape, Meta, or Control Sequences(CWE-150) [IPA Evaluation]
CVE (What is CVE?)

  1. CVE-2017-10906
References

  1. JVN : JVNVU#95124098
Revision History

[2017/12/11]
  Web page was published