Security Notice About CVE-2024-4323 (Fluent Bit)
A security flaw has been found in Fluent Bit’s built-in HTTP server that could be exploited to potentially cause denial of service, information disclosure and, given enough time and effort, remote code execution. Affected Fluent Bit versions are 2.0.7 through 3.0.3.
Torizon OS is not affected by this issue unless specific changes from the default Fluent Bit configuration are made, but some Torizon OS 6 releases contain an affected version of Fluent Bit that would be vulnerable if the configuration was changed from the default and the HTTP server was enabled. Torizon OS 5 is not impacted at all.
Starting with Torizon OS 6.2.0-devel-202303 monthly pre-release, all Torizon OS quarterly releases from 6.2.0 up to 6.6.1 have an affected Fluent Bit version.
The vulnerability affects Fluent Bit's built-in HTTP server, which is disabled by default in all Torizon OS 6 versions. If you did not explicitly enable the HTTP server by editing the Fluent Bit config file located at /etc/fluent-bit/fluent-bit.conf, you are not affected and no immediate action is needed.
Our upcoming Torizon OS 6.7 quarterly, scheduled to be released in July, will have the backported fix for Fluent Bit 2.2.3.
Until then, we strongly recommend that customers using custom Torizon OS 6 images verify that the Fluent Bit internal HTTP server is disabled, and keep it disabled if possible. You can check whether you have enabled it by examining the contents of /etc/fluent-bit/fluent-bit.conf. If the HTTP server is running, you will see a section in the file similar to this:
[SERVICE] HTTP_Server On HTTP_Listen 0.0.0.0 HTTP_PORT 2020
You can disable the HTTP server by removing that section of the config file.
For devices already deployed in the field, it is possible to create a custom OS image with changes to /etc contents and perform a secure over-the-air OS update with Torizon Cloud. Detailed instructions can be found on our developer website: https://developer.toradex.com/torizon/os-customization/use-cases/capturing-changes-in-the-configuration-of-a-board-on-torizoncore
- Learn more about Torizon.
- For instructions on installing and getting started, learning from the basics to the advanced, and much more, visit the Torizon page on the Toradex developer website.
Latest News
Press Release:
Toradex Announces the Launch of the Aquila iMX95 SoMNew Release:
Torizon OS 6.7.0 Quarterly Release