Security Notice About CVE-2024-4323 (Fluent Bit)



A security flaw has been found in Fluent Bit’s built-in HTTP server that could be exploited to potentially cause denial of service, information disclosure and, given enough time and effort, remote code execution. Affected Fluent Bit versions are 2.0.7 through 3.0.3.

Torizon OS is not affected by this issue unless specific changes from the default Fluent Bit configuration are made, but some Torizon OS 6 releases contain an affected version of Fluent Bit that would be vulnerable if the configuration was changed from the default and the HTTP server was enabled. Torizon OS 5 is not impacted at all.

Starting with Torizon OS 6.2.0-devel-202303 monthly pre-release, all Torizon OS quarterly releases from 6.2.0 up to 6.6.1 have an affected Fluent Bit version.

The vulnerability affects Fluent Bit's built-in HTTP server, which is disabled by default in all Torizon OS 6 versions. If you did not explicitly enable the HTTP server by editing the Fluent Bit config file located at /etc/fluent-bit/fluent-bit.conf, you are not affected and no immediate action is needed.

Our upcoming Torizon OS 6.7 quarterly, scheduled to be released in July, will have the backported fix for Fluent Bit 2.2.3.

Until then, we strongly recommend that customers using custom Torizon OS 6 images verify that the Fluent Bit internal HTTP server is disabled, and keep it disabled if possible. You can check whether you have enabled it by examining the contents of /etc/fluent-bit/fluent-bit.conf. If the HTTP server is running, you will see a section in the file similar to this:

    HTTP_Server  On
    HTTP_PORT    2020

You can disable the HTTP server by removing that section of the config file.

For devices already deployed in the field, it is possible to create a custom OS image with changes to /etc contents and perform a secure over-the-air OS update with Torizon Cloud. Detailed instructions can be found on our developer website:

Get Started With Torizon
Have a Question?