[Japanese]

JVNDB-2017-010280

Fluentd vulenrable to escape sequence injection

Overview

Fluentd provided by Cloud Native Computing Foundation (CNCF) contains an escape sequence injection vulnerability.

Fluentd is an open source data collector provided by Cloud Native Computing Foundation (CNCF). The parse Filter Plugin for Fluentd contains an escape sequence injection vulnerability (CWE-150) due to a flaw in processing logs.

Teppei Fukuda reported this vulnerability to JPCERT/CC.
JPCERT/CC coordinated with the developer.
CVSS Severity (What is CVSS?)

CVSS V3 Severity:
Base Metrics 5.3 (Medium) [IPA Score]
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
  • Confidentiality Impact: None
  • Integrity Impact: Low
  • Availability Impact: None
CVSS V2 Severity:
Base Metrics 5.0 (Medium) [IPA Score]
  • Access Vector: Network
  • Access Complexity: Low
  • Authentication: None
  • Confidentiality Impact: None
  • Integrity Impact: Partial
  • Availability Impact: None
Affected Products


Cloud Native Computing Foundation (CNCF)
  • Fluentd version 0.12.29 through 0.12.40

Impact

Processing a specially crafted log may change the terminal UI or possibly execute arbitrary command on the device collecting logs.
Solution

[Update the Software]
Update to the latest version according to the information provided by the developer.
Vendor Information

Cloud Native Computing Foundation (CNCF)
CWE (What is CWE?)

  1. Improper Neutralization of Escape, Meta, or Control Sequences(CWE-150) [IPA Evaluation]
CVE (What is CVE?)

  1. CVE-2017-10906
References

  1. JVN : JVNVU#95124098
  2. National Vulnerability Database (NVD) : CVE-2017-10906
Revision History

  • [2017/12/11]
      Web page was published
  • [2018/04/11]
      References : Content was added

Date Public2017/12/08
Date First Published2017/12/11
Date Last Updated2017/12/11