"A series of "trivial-to-exploit" vulnerabilities in Fluent Bit, an open source log collection tool that runs in every major cloud and AI lab, was left open for years, giving attackers an exploit chain to completely disrupt cloud services and alter data. The Oligo Security research team found the five vulnerabilities and - in coordination with the project's maintainers - on Monday published details about the bugs that allow attackers to bypass authentication, perform path traversal, achieve remote code execution, cause denial-of-service conditions, and manipulate tags."
"Fluent Bit, an open source project maintained by Chronosphere, is used by major cloud providers and tech giants, including Google, Amazon, Oracle, IBM, and Microsoft, to collect and route data. It's a lightweight telemetry data agent and processor for logs, metrics, and traces, and it has more than 15 billion deployments. At KubeCon earlier this month, OpenAI said it runs Fluent Bit on all of its Kubernetes nodes."
"It's been around for 14 years, and at least one of the newly disclosed bugs, a path-traversal flaw now tracked as CVE 2025-12972, has left cloud environments vulnerable for more than 8 years, according to Oligo Security researcher Uri Katz. This, Katz told The Register, is because "the file-output behavior that makes path traversal possible has been a part of Fluent Bit since its early architecture. The other issues aren't quite as old but are still long-standing.""
Five vulnerabilities in Fluent Bit enable authentication bypass, path traversal, remote code execution, denial-of-service conditions, and tag manipulation. The flaws were present for years in widely deployed components, with at least one path-traversal bug active for more than eight years and other issues traceable to four to six years ago. Fluent Bit is used by major cloud providers and technology companies across more than 15 billion deployments and runs on Kubernetes nodes at large AI operators. The vulnerabilities largely stem from plugin behavior and tag handling. Updating to v4.1.1 or v4.0.12 remediates the issues.
Read at Theregister
Unable to calculate read time
Collection
[
|
...
]