chore(deps): update dependency fluentd to v1.15.3 [security] (release-2.9.x)

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
fluentd	'1.14.2' -> '1.15.3'

---

fluentd vulnerable to remote code execution due to insecure deserialization (in non-default configuration)

BIT-fluentd-2022-39379 / CVE-2022-39379 / GHSA-fppq-mj76-fpj2

More information

Details

Impact

A remote code execution (RCE) vulnerability in non-default configurations of Fluentd allows unauthenticated attackers to execute arbitrary code via specially crafted JSON payloads.

Fluentd setups are only affected if the environment variable FLUENT_OJ_OPTION_MODE is explicitly set to object.

Please note: The option FLUENT_OJ_OPTION_MODE was introduced in Fluentd version 1.13.2. Earlier versions of Fluentd are not affected by this vulnerability.

Patches

v1.15.3

Workarounds

Do not use FLUENT_OJ_OPTION_MODE=object.

References

• GHSL-2022-067

Severity

• CVSS Score: 3.1 / 10 (Low)
• Vector String: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N

References

• https://github.com/fluent/fluentd/security/advisories/GHSA-fppq-mj76-fpj2
• https://nvd.nist.gov/vuln/detail/CVE-2022-39379
• https://github.com/fluent/fluentd/commit/48e5b85dab1b6d4c273090d538fc11b3f2fd8135
• https://github.com/fluent/fluentd
• https://github.com/rubysec/ruby-advisory-db/blob/master/gems/fluentd/CVE-2022-39379.yml
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MYD5QV66OLDHES6IKVYYM3Y3YID3VVCO

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.