CVE-2024-50609: An issue was discovered in Fluent Bit 3.1.9. When the OpenTelemetry input plugin is running and listening on an IP address and port, one can send a...
Description
An issue was discovered in Fluent Bit 3.1.9. When the OpenTelemetry input plugin is running and listening on an IP address and port, one can send a packet with Content-Length: 0 and it crashes the server. Improper handling of the case when Content-Length is 0 allows a user (with access to the endpoint) to perform a remote Denial of service attack. The crash happens because of a NULL pointer dereference when 0 (from the Content-Length) is passed to the function cfl_sds_len, which in turn tries to cast a NULL pointer into struct cfl_sds. This is related to process_payload_traces_proto_ng() at opentelemetry_prot.c.
Classification
CVE ID: CVE-2024-50609
Affected Products
Vendor: n/a
Product: n/a
Exploit Prediction Scoring System (EPSS)
EPSS Score: 0.14% (probability of being exploited)
EPSS Percentile: 30.43% (scored less or equal to compared to others)
EPSS Date: 2025-03-19 (when was this score calculated)
References
https://fluentbit.io/announcements/https://github.com/fluent/fluent-bit/releases
https://www.ebryx.com/blogs/exploring-cve-2024-50608-and-cve-2024-50609