Login Sign Up

CVE-2021-36088

9.8 CRITICAL
Remote Code Execution Denial of Service

📋 TL;DR

CVE-2021-36088 is a double-free vulnerability in Fluent Bit's JSON parser that can lead to memory corruption and potential remote code execution. This affects Fluent Bit versions 1.7.0 through 1.7.4 when processing malicious JSON input. Organizations using vulnerable Fluent Bit deployments for log processing are at risk.

💻 Affected Systems

Products:
  • Fluent Bit
Versions: 1.7.0 through 1.7.4
Operating Systems: All platforms running Fluent Bit
Default Config Vulnerable: ⚠️ Yes
Notes: Any configuration using JSON parsing is vulnerable. The vulnerability is in the core parser functionality.

📦 What is this software?

Fluent Bit by Treasuredata

View all CVEs affecting Fluent Bit →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution with the privileges of the Fluent Bit process, potentially leading to complete system compromise.

🟠

Likely Case

Denial of service through application crash or memory corruption leading to instability.

🟢

If Mitigated

Limited impact if Fluent Bit runs with minimal privileges and network exposure is restricted.

🌐 Internet-Facing: HIGH - Fluent Bit often receives data from external sources and the vulnerability can be triggered via crafted JSON input.
🏢 Internal Only: MEDIUM - Internal attackers or compromised systems could exploit this if they can send data to Fluent Bit.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

The vulnerability is triggered by sending specially crafted JSON data to Fluent Bit. Proof-of-concept code exists in the OSS-Fuzz reports.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.7.5 and later

Vendor Advisory: https://github.com/fluent/fluent-bit/security/advisories/GHSA-6w9v-4x7f-3vj9

Restart Required: Yes

Instructions:

1. Upgrade Fluent Bit to version 1.7.5 or later. 2. Download from https://fluentbit.io/download/. 3. Replace existing installation. 4. Restart Fluent Bit service.

🔧 Temporary Workarounds

Disable JSON parsing

all

If JSON parsing is not required, disable it in Fluent Bit configuration

# In Fluent Bit config, remove or comment out JSON parser configurations

Network isolation

linux

Restrict network access to Fluent Bit endpoints

# Use firewall rules to limit access
# Example: iptables -A INPUT -p tcp --dport 24224 -s trusted_ip -j ACCEPT

🧯 If You Can't Patch

  • Run Fluent Bit with minimal privileges (non-root user)
  • Implement network segmentation to limit which systems can send data to Fluent Bit

🔍 How to Verify

Check if Vulnerable:

Check Fluent Bit version: fluent-bit --version. If version is between 1.7.0 and 1.7.4 inclusive, the system is vulnerable.

Check Version:

fluent-bit --version

Verify Fix Applied:

After patching, verify version is 1.7.5 or later with: fluent-bit --version

📡 Detection & Monitoring

Log Indicators:

  • Fluent Bit crash logs
  • Segmentation fault errors in system logs
  • Unexpected process termination

Network Indicators:

  • Unusual JSON payloads sent to Fluent Bit ports
  • Multiple connection attempts with malformed data

SIEM Query:

source="fluent-bit" AND ("segmentation fault" OR "double free" OR "corrupted")

📊 Metadata

CVE ID: CVE-2021-36088
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-415
Published: July 1, 2021
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-36088, you might also want to check these:

CVE-2020-35885 9.8

This vulnerability in the alpm-rs Rust crate allows double-free memory corruption due to improper de...

Same vulnerability type (CWE-415)
CVE-2021-29940 9.8

This vulnerability in the Rust 'through' crate allows double-free memory corruption when the map fun...

Same vulnerability type (CWE-415)
CVE-2023-49937 9.8

This CVE describes a double-free vulnerability in SchedMD Slurm workload manager that allows attacke...

Same vulnerability type (CWE-415)