GHSA-hwhf-64mh-r662
Suggest an improvement- Source
- https://github.com/advisories/GHSA-hwhf-64mh-r662
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/11/GHSA-hwhf-64mh-r662/GHSA-hwhf-64mh-r662.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/GHSA-hwhf-64mh-r662
- Aliases
- Related
- Published
- 2021-11-01T19:16:31Z
- Modified
- 2023-12-06T00:46:31.627273Z
- Severity
-
- 5.9 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
- Summary
- ReDoS vulnerability in parser_apache2
- Details
-
Impact
parser_apache2 plugin in Fluentd v0.14.14 to v1.14.1 suffers from a regular expression denial of service (ReDoS) vulnerability. A broken apache log with a certain pattern of string can spend too much time in a regular expression, resulting in the potential for a DoS attack.
Patches
v1.14.2
Workarounds
Either of the following:
- Don't use parser_apache2 for parsing logs which cannot guarantee generated by Apache.
- Put patched version of parser_apache2.rb into /etc/fluent/plugin directory (or any other directories specified by the environment variable
FLUENT_PLUGINor--pluginoption of fluentd).
References
- CVE-2021-41186
- GHSA-hwhf-64mh-r662
- GHSL-2021-102
- https://github.com/fluent/fluentd/blob/master/CHANGELOG.md#v1142
- Database specific
{ "github_reviewed": true, "nvd_published_at": "2021-10-29T14:15:00Z", "cwe_ids": [ "CWE-400" ], "github_reviewed_at": "2021-10-29T13:44:13Z", "severity": "MODERATE" }- References
-
- https://github.com/fluent/fluentd/security/advisories/GHSA-hwhf-64mh-r662
- https://nvd.nist.gov/vuln/detail/CVE-2021-41186
- https://github.com/fluent/fluentd/commit/5482a3d049dab351de0be68f4b4bc562319d8511
- https://github.com/fluent/fluentd
- https://github.com/fluent/fluentd/blob/master/CHANGELOG.md#v1142
- https://github.com/github/securitylab-vulnerabilities/blob/52dc4a2a828c6dc24231967c2937ad92038184a9/vendor_reports/GHSL-2021-102-fluent-fluentd.md
- https://github.com/rubysec/ruby-advisory-db/blob/master/gems/fluentd/CVE-2021-41186.yml
Affected packages
RubyGems / fluentd
Package
- Name
- fluentd
- Purl
- pkg:gem/fluentd
Affected versions
0.*
0.14.14
0.14.15
0.14.16
0.14.17
0.14.18
0.14.19
0.14.20.rc1
0.14.20
0.14.21
0.14.22.rc1
0.14.22.rc2
0.14.22
0.14.23.rc1
0.14.23
0.14.24
0.14.25
1.*
1.0.0.rc1
1.0.0
1.0.1
1.0.2
1.1.0
1.1.1
1.1.2
1.1.3
1.2.0.pre1
1.2.0
1.2.1
1.2.2
1.2.3
1.2.4.rc1
1.2.4
1.2.5.rc1
1.2.5
1.2.6
1.3.0
1.3.1
1.3.2
1.3.3
1.4.0
1.4.1
1.4.2
1.5.0.rc1
1.5.0
1.5.1
1.5.2
1.6.0
1.6.1
1.6.2
1.6.3
1.7.0.rc1
1.7.0
1.7.1
1.7.2
1.7.3
1.7.4
1.8.0.rc1
1.8.0.rc2
1.8.0.rc3
1.8.0
1.8.1
1.9.0.rc1
1.9.0.rc2
1.9.0
1.9.1
1.9.2
1.9.3
1.10.0
1.10.1
1.10.2
1.10.3
1.10.4
1.11.0
1.11.1
1.11.2
1.11.3
1.11.4
1.11.5
1.12.0.rc1
1.12.0.rc2
1.12.0
1.12.1
1.12.2
1.12.3
1.12.4
1.13.0
1.13.1
1.13.2
1.13.3
1.14.0.rc
1.14.0
1.14.1