Impact
The logstash source decodes a compressed frame by reading a 32-bit length field
directly from the wire and using it to size an in-memory buffer, with no upper bound.
A remote, unauthenticated attacker who can reach the source's listener can send a
minimal (~6-byte) frame that declares a multi-gigabyte length, causing Vector to
attempt an allocation large enough to abort the process or trigger the host
OOM-killer. Because the allocation is driven by the declared length rather than the
bytes actually sent, the attacker's cost is negligible. The source listens on
0.0.0.0:5044 by default with no authentication, so any deployment that enables it
without network restrictions is exposed, and a crash halts log ingestion for every
tenant on a shared pipeline.
Patches
This is resolved in version 0.57.0 and later of Vector.
Workarounds
If you cannot upgrade immediately:
- Do not expose the
logstash source to untrusted networks; restrict the listener
to trusted peers with a firewall or network policy.
- Require TLS client-certificate authentication on the
logstash source.
References
Credit
This vulnerability was responsibly disclosed by Intercontinental Exchange, Inc. (ICE), Information Security, DeMarcus Campbell.
Impact
The
logstashsource decodes a compressed frame by reading a 32-bit length fielddirectly from the wire and using it to size an in-memory buffer, with no upper bound.
A remote, unauthenticated attacker who can reach the source's listener can send a
minimal (~6-byte) frame that declares a multi-gigabyte length, causing Vector to
attempt an allocation large enough to abort the process or trigger the host
OOM-killer. Because the allocation is driven by the declared length rather than the
bytes actually sent, the attacker's cost is negligible. The source listens on
0.0.0.0:5044by default with no authentication, so any deployment that enables itwithout network restrictions is exposed, and a crash halts log ingestion for every
tenant on a shared pipeline.
Patches
This is resolved in version 0.57.0 and later of Vector.
Workarounds
If you cannot upgrade immediately:
logstashsource to untrusted networks; restrict the listenerto trusted peers with a firewall or network policy.
logstashsource.References
Credit
This vulnerability was responsibly disclosed by Intercontinental Exchange, Inc. (ICE), Information Security, DeMarcus Campbell.