fluent-plugin-s3 Vulnerable to Denial of Service (DoS) via Decompression Bomb in `in_s3`

Description

The `fluent-plugin-s3` plugin (specifically the `in_s3` input plugin) supports reading and decompressing heavily compressed files (such as `gzip`, `lzma2`, and `lzop`) from Amazon S3. It was discovered that the plugin read the entire decompressed payload into memory at once without enforcing a strict size limit. If an attacker has sufficient permissions to upload files to the monitored S3 bucket, they can upload a maliciously crafted, highly compressed file. When Fluentd attempts to decompress this file, it will expand to an excessive size and it will consume significant system resources. ### Impact This vulnerability allows for a **Denial of Service (DoS)** attack via memory exhaustion. The rapid memory consumption during decompression can lead to an Out-of-Memory kill of the Fluentd process by the operating system, This results in the disruption of all log collection on the affected node. ### Patches v1.8.5 ### Workarounds If an immediate upgrade is not possible, mitigate the risk by applying strict IAM access controls: 1. Restrict Bucket Access * Ensure that write (PUT) access to the S3 bucket monitored by `in_s3` is strictly limited to trusted services and administrators. Prevent any public or untrusted uploads to the S3 bucket.

Affected Packages (1)