CVE-2024-50609 – CVE-2024-50609 is a NULL pointer dereference vu... (How to Fix)

Q: What is the severity of CVE-2024-50609?

CVE-2024-50609 has a CVSS score of 7.5 (HIGH). CVE-2024-50609 is a NULL pointer dereference vulnerability in Fluent Bit's OpenTelemetry input plugin that allows remote denial of service attacks. When an attacker sends a packet with Content-Length: 0 to the OpenTelemetry endpoint, it crashes the Fluent Bit server due to improper handling. This affects any Fluent Bit deployment with the OpenTelemetry input plugin enabled and accessible.

📋 TL;DR

CVE-2024-50609 is a NULL pointer dereference vulnerability in Fluent Bit's OpenTelemetry input plugin that allows remote denial of service attacks. When an attacker sends a packet with Content-Length: 0 to the OpenTelemetry endpoint, it crashes the Fluent Bit server due to improper handling. This affects any Fluent Bit deployment with the OpenTelemetry input plugin enabled and accessible.

💻 Affected Systems

Products:

Fluent Bit

Versions: Version 3.1.9 specifically; potentially earlier versions with similar code

Operating Systems: All platforms running Fluent Bit

Default Config Vulnerable: ✅ No

Notes: Only vulnerable if OpenTelemetry input plugin is enabled and configured to listen on a network interface. Default installations typically don't have this plugin enabled.

📦 What is this software?

Fluent Bit by Treasuredata

View all CVEs affecting Fluent Bit →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete service disruption of Fluent Bit, causing log processing pipeline failure and potential data loss until service is restarted.

🟠

Likely Case

Intermittent service crashes requiring manual intervention to restart Fluent Bit, disrupting log collection and forwarding capabilities.

🟢

If Mitigated

Minimal impact if proper network segmentation and access controls prevent unauthorized access to the OpenTelemetry endpoint.

🌐 Internet-Facing: HIGH - If the OpenTelemetry endpoint is exposed to the internet, attackers can easily crash the service with a single malformed packet.

🏢 Internal Only: MEDIUM - Internal attackers or compromised internal systems can still exploit this, but requires network access to the endpoint.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires network access to the OpenTelemetry endpoint but no authentication. The attack is trivial to execute with basic network tools.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Fluent Bit 3.1.10 or later

Vendor Advisory: https://fluentbit.io/announcements/

Restart Required: Yes

Instructions:

1. Check current Fluent Bit version. 2. Download and install Fluent Bit 3.1.10 or later from official sources. 3. Restart Fluent Bit service. 4. Verify the new version is running.

🔧 Temporary Workarounds

Disable OpenTelemetry Input Plugin

all

Remove or comment out OpenTelemetry input plugin configuration if not required

# Edit Fluent Bit configuration file
# Remove or comment out [INPUT] sections with Type opentelemetry

Restrict Network Access

linux

Use firewall rules to restrict access to OpenTelemetry endpoint port

# Example iptables rule to restrict to specific IPs
iptables -A INPUT -p tcp --dport <PORT> -s <TRUSTED_IP> -j ACCEPT
iptables -A INPUT -p tcp --dport <PORT> -j DROP

🧯 If You Can't Patch

Implement strict network access controls to limit who can reach the OpenTelemetry endpoint
Use a reverse proxy or load balancer with request validation to filter malformed packets before they reach Fluent Bit

🔍 How to Verify

Check if Vulnerable:

Check if Fluent Bit is running version 3.1.9 and has OpenTelemetry input plugin enabled in configuration

Check Version:

fluent-bit --version

Verify Fix Applied:

Verify Fluent Bit version is 3.1.10 or later and test by sending a packet with Content-Length: 0 to the OpenTelemetry endpoint (service should not crash)

📡 Detection & Monitoring

Log Indicators:

Fluent Bit process crashes or restarts
Segmentation fault errors in system logs
OpenTelemetry plugin error messages

Network Indicators:

Incoming packets with Content-Length: 0 to OpenTelemetry port
Sudden drop in OpenTelemetry traffic followed by service restart

SIEM Query:

source="fluent-bit" AND ("segmentation fault" OR "crash" OR "SIGSEGV") OR (destination_port=<OPENTELEMETRY_PORT> AND http_content_length="0")

📊 Metadata

CVE ID: CVE-2024-50609

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-476

EPSS Score: 0.48% exploit probability (64.7th percentile)

Published: February 18, 2025

Last Updated: April 22, 2025

🔗 References

https://fluentbit.io/announcements/ Product
https://github.com/fluent/fluent-bit/releases Release Notes
https://www.ebryx.com/blogs/exploring-cve-2024-50608-and-cve-2024-50609 Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-50609, you might also want to check these: