-
-
Notifications
You must be signed in to change notification settings - Fork 220
/
Copy pathCVE-2021-41186.yml
28 lines (25 loc) · 1.08 KB
/
CVE-2021-41186.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
---
gem: fluentd
cve: 2021-41186
ghsa: hwhf-64mh-r662
url: https://github.com/fluent/fluentd/security/advisories/GHSA-hwhf-64mh-r662
title: ReDoS vulnerability in parser_apache2
date: 2021-11-01
description: |
### Impact
parser_apache2 plugin in Fluentd v0.14.14 to v1.14.1 suffers from a regular expression denial of service (ReDoS) vulnerability. A broken apache log with a certain pattern of string can spend too much time in a regular expression, resulting in the potential for a DoS attack.
### Patches
v1.14.2
### Workarounds
Either of the following:
* Don't use parser_apache2 for parsing logs which cannot guarantee generated by Apache.
* Put patched version of parser_apache2.rb into /etc/fluent/plugin directory (or any other directories specified by the environment variable `FLUENT_PLUGIN` or `--plugin` option of fluentd).
cvss_v3: 5.9
unaffected_versions:
- "< 0.14.14"
patched_versions:
- ">= 1.14.2"
related:
url:
- https://securitylab.github.com/advisories/GHSL-2021-102-fluent-fluentd/
- https://github.com/fluent/fluentd/blob/master/CHANGELOG.md#v1142