CVE-2020-35963 – CVE-2020-35963 is an out-of-bounds write vulner... (How to Fix)

Q: What is the severity of CVE-2020-35963?

CVE-2020-35963 has a CVSS score of 7.8 (HIGH). CVE-2020-35963 is an out-of-bounds write vulnerability in Fluent Bit's gzip compression function that could allow attackers to execute arbitrary code or cause denial of service. This affects all systems running Fluent Bit versions before 1.6.4 that use gzip compression. The vulnerability stems from incorrect calculation of maximum gzip data-size expansion.

📋 TL;DR

CVE-2020-35963 is an out-of-bounds write vulnerability in Fluent Bit's gzip compression function that could allow attackers to execute arbitrary code or cause denial of service. This affects all systems running Fluent Bit versions before 1.6.4 that use gzip compression. The vulnerability stems from incorrect calculation of maximum gzip data-size expansion.

💻 Affected Systems

Products:

Fluent Bit

Versions: All versions before 1.6.4

Operating Systems: All platforms running Fluent Bit

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects systems using gzip compression functionality. The vulnerability is triggered when processing compressed data.

📦 What is this software?

Fluent Bit by Treasuredata

View all CVEs affecting Fluent Bit →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete system compromise, data exfiltration, or persistent backdoor installation.

🟠

Likely Case

Denial of service through application crashes or memory corruption, potentially disrupting log processing pipelines.

🟢

If Mitigated

Limited impact if proper network segmentation and least privilege principles are implemented, though service disruption remains possible.

🌐 Internet-Facing: MEDIUM - Fluent Bit is often deployed internally but could be exposed via APIs or management interfaces.

🏢 Internal Only: HIGH - Fluent Bit is commonly used in internal log processing pipelines where compromise could affect multiple systems.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: MEDIUM

Proof-of-concept exists in OSS-Fuzz reports. Exploitation requires sending specially crafted gzip data to the vulnerable component.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.6.4 and later

Vendor Advisory: https://fluentbit.io/announcements/v1.6.4/

Restart Required: Yes

Instructions:

1. Download Fluent Bit 1.6.4 or later from https://fluentbit.io/download/ 2. Stop Fluent Bit service 3. Install the new version 4. Restart Fluent Bit service

🔧 Temporary Workarounds

Disable gzip compression

all

Disable gzip compression functionality to prevent exploitation

Modify Fluent Bit configuration to remove or disable gzip compression options

Network segmentation

all

Restrict network access to Fluent Bit instances

Configure firewall rules to limit inbound connections to Fluent Bit

🧯 If You Can't Patch

Implement strict network access controls to limit who can send data to Fluent Bit instances
Monitor for abnormal memory usage or crashes in Fluent Bit processes

🔍 How to Verify

Check if Vulnerable:

Check Fluent Bit version with 'fluent-bit --version' or examine installed package version

Check Version:

fluent-bit --version

Verify Fix Applied:

Confirm version is 1.6.4 or higher and test gzip compression functionality

📡 Detection & Monitoring

Log Indicators:

Fluent Bit process crashes
Memory allocation errors in logs
Abnormal termination messages

Network Indicators:

Unusual gzip-compressed traffic patterns to Fluent Bit ports
Multiple connection attempts with compressed data

SIEM Query:

source="fluent-bit" AND ("segmentation fault" OR "out of bounds" OR "memory corruption" OR "gzip error")

📊 Metadata

CVE ID: CVE-2020-35963

CVSS v3 Score: 7.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE: CWE-787

Published: January 3, 2021

Last Updated: November 21, 2024

🔗 References

https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=27261 Exploit,Issue Tracking,Third Party Advisory
https://fluentbit.io/announcements/v1.6.4/ Release Notes,Vendor Advisory
https://github.com/fluent/fluent-bit/commit/cadff53c093210404aed01c4cf586adb8caa07af Patch,Third Party Advisory
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=27261 Exploit,Issue Tracking,Third Party Advisory
https://fluentbit.io/announcements/v1.6.4/ Release Notes,Vendor Advisory
https://github.com/fluent/fluent-bit/commit/cadff53c093210404aed01c4cf586adb8caa07af Patch,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2020-35963, you might also want to check these: