Impact
The logstash source inflates a compressed frame and feeds the result back into its
frame decoder without limiting how deeply compressed frames may be nested. A remote,
unauthenticated attacker who can reach the source's listener can send a small
(~68 KB) payload composed of many compressed frames nested inside one another; each
layer re-enters the decoder, and deep nesting exhausts the worker thread's stack and
aborts the process. The same construction additionally amplifies input via
uncapped decompression. The source listens on 0.0.0.0:5044 by default with no
authentication, so any deployment that enables it without network restrictions is
exposed, and a crash halts log ingestion for every tenant on a shared pipeline.
Patches
This is resolved in version 0.57.0 and later of Vector.
Workarounds
If you cannot upgrade immediately:
- Do not expose the
logstash source to untrusted networks; restrict the listener
to trusted peers with a firewall or network policy.
- Require TLS client-certificate authentication on the
logstash source.
References
Credit
This vulnerability was responsibly disclosed by Intercontinental Exchange, Inc. (ICE), Information Security, DeMarcus Campbell.
Impact
The
logstashsource inflates a compressed frame and feeds the result back into itsframe decoder without limiting how deeply compressed frames may be nested. A remote,
unauthenticated attacker who can reach the source's listener can send a small
(~68 KB) payload composed of many compressed frames nested inside one another; each
layer re-enters the decoder, and deep nesting exhausts the worker thread's stack and
aborts the process. The same construction additionally amplifies input via
uncapped decompression. The source listens on
0.0.0.0:5044by default with noauthentication, so any deployment that enables it without network restrictions is
exposed, and a crash halts log ingestion for every tenant on a shared pipeline.
Patches
This is resolved in version 0.57.0 and later of Vector.
Workarounds
If you cannot upgrade immediately:
logstashsource to untrusted networks; restrict the listenerto trusted peers with a firewall or network policy.
logstashsource.References
Credit
This vulnerability was responsibly disclosed by Intercontinental Exchange, Inc. (ICE), Information Security, DeMarcus Campbell.