{"id":5941,"date":"2025-11-25T11:52:31","date_gmt":"2025-11-25T11:52:31","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=5941"},"modified":"2025-11-25T11:52:31","modified_gmt":"2025-11-25T11:52:31","slug":"fluent-bit-vulnerabilities-could-enable-full-cloud-takeover","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=5941","title":{"rendered":"Fluent Bit vulnerabilities could enable full cloud takeover"},"content":{"rendered":"<div>\n<div class=\"grid grid--cols-10@md grid--cols-8@lg article-column\">\n<div class=\"col-12 col-10@md col-6@lg col-start-3@lg\">\n<div class=\"article-column__content\">\n<div class=\"container\"><\/div>\n<p>Fluent Bit, a widely deployed log-processing tool used in containers, Kubernetes DaemonSets, and major cloud platforms, has been found vulnerable to authentication bypass, file-write, and agent takeover attacks.<\/p>\n<p>According to an Oligo Security analysis, disclosed in co-operation with Amazon Web Services (AWS), the tool was found vulnerable to five critical flaws that could allow full compromise of cloud infrastructure.<\/p>\n<p>\u201cFluent Bit runs everywhere: AI labs, banks, car manufacturers, all the major cloud providers such as AWS, Google Cloud, and Microsoft Azure, and more,\u201d Uri Katz, researcher at Oligo Security\u2019s CTO Office, said in a blog post. \u201cWhen a component this widespread and trusted fails, it doesn\u2019t just expose individual systems; it threatens the stability of the cloud ecosystem.\u201d<\/p>\n<p>These flaws can potentially allow attackers to rewrite or delete logs to cover their tracks, inject false telemetry, reroute records into attacker-controlled destinations, or even execute arbitrary code, Katz added.<\/p>\n<p>To address them, the <a href=\"https:\/\/github.com\/fluent\/fluent-bit\" target=\"_blank\" rel=\"noopener\">Fluent Bit<\/a> project has released patched versions v4.1.1 and v4.0.12.<\/p>\n<h2 class=\"wp-block-heading\"><a><\/a>Bypassing authentication to inject fake logs<\/h2>\n<p>The most concerning issue revealed in the <a href=\"https:\/\/www.oligo.security\/blog\/critical-vulnerabilities-in-fluent-bit-expose-cloud-environments-to-remote-takeover\" target=\"_blank\" rel=\"noopener\">disclosure<\/a> is the Fluent Bit forward input plugin \u201cin_forward,\u201d which can be configured to appear protected but is actually wide open. Specifically, when \u201cSecurity.Users\u201d authentication is specified without a \u201cShared.key\u201d, authentication is effectively not enforced, leaving a vulnerable port for attackers to connect and send arbitrary logs.<\/p>\n<p>Attackers could flood monitoring systems with false or misleading events, hide alerts in the noise, or even hijack the telemetry stream entirely, Katz said. The issue is now tracked as <a href=\"https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2025-12969\" target=\"_blank\" rel=\"noopener\">CVE-2025-12969<\/a> and awaits a severity valuation.<\/p>\n<p>Almost equally troubling are other flaws in the \u201ctag\u201d mechanism, which determines how the records are routed and processed. One bug (<a href=\"https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2025-12978\" target=\"_blank\" rel=\"noopener\">CVE-2025-12978<\/a>) allows an attacker who can guess just the first character of the tag key to impersonate trusted tags and reroute logs or bypass filters. Another (<a href=\"https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2025-12977\">CVE-2025-12977<\/a>) allows unsanitized tag values (including newlines, directory-traversal strings, and control characters), which can corrupt downstream parsing, enable file-system writes, or allow further escalation.<\/p>\n<p>According to the blog, AWS has secured all of its internal systems that rely on Fluentbit through the Fluentbit project and released Fluentbit version 4.1.1. AWS did not immediately respond to CSO\u2019s request for comment.<\/p>\n<h2 class=\"wp-block-heading\">File writes, container overflow, and full agent takeover<\/h2>\n<p>Oligo also disclosed a chain of remote code execution (RCE) and path traversal vulnerabilities affecting the tool. <a href=\"https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2025-12972\">CVE-2025-12972<\/a> targets the \u201cout_file\u201c output plugin. When Tag values are user-controlled, and no fixed File parameter is set, attackers can abuse the Tag value (e.g.,\u201d..\/\u201c) to cause path-traversal file writes or overwrites\u2013ultimately letting them plant malicious files or gain RCE.<\/p>\n<p>\u201cOur research found that some of these vulnerabilities, such as CVE 2025-12972, have left cloud environments vulnerable for over 8 years,\u201d Katz noted.<\/p>\n<p>In the Docker input plugin (in-Docker), <a href=\"https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2025-12970\" target=\"_blank\" rel=\"noopener\">CVE-2025-12970<\/a> shows a stack <a href=\"https:\/\/www.csoonline.com\/article\/3823937\/cisa-fbi-call-software-with-buffer-overflow-issues-unforgivable.html\">buffer overflow<\/a>. If an attacker names a container with an excessively long name, the buffer overflow lets them crash the agent or execute code. Oligo warned that the flaw allows attackers to seize the logging agent, hide their activity, plant backdoors, and pivot further into the system.<\/p>\n<p>Fluent Bit is a Cloud Native Computing Foundation (<a href=\"https:\/\/www.computerworld.com\/article\/1636806\/the-changing-face-of-open-source-software.html\">CNCF<\/a>) graduated open-source project, initially created by Eduardo Silva, who remains its most frequent contributor, now sponsored and maintained by major cloud providers.<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"<p>Fluent Bit, a widely deployed log-processing tool used in containers, Kubernetes DaemonSets, and major cloud platforms, has been found vulnerable to authentication bypass, file-write, and agent takeover attacks. According to an Oligo Security analysis, disclosed in co-operation with Amazon Web Services (AWS), the tool was found vulnerable to five critical flaws that could allow full [&hellip;]<\/p>\n","protected":false},"author":0,"featured_media":5942,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-5941","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/5941"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=5941"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/5941\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/5942"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=5941"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=5941"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=5941"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}