Bug 2291337 (CVE-2024-36129) - CVE-2024-36129 opentelemetry-collector: denial of service via specially crafted HTTP or gRPC request
Summary: CVE-2024-36129 opentelemetry-collector: denial of service via specially craft...
Keywords:
Status: NEW
Alias: CVE-2024-36129
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Product Security
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks: 2291338
TreeView+ depends on / blocked
 
Reported: 2024-06-11 15:27 UTC by Robb Gatica
Modified: 2024-06-17 09:24 UTC (History)
1 user (show)

Fixed In Version: OpenTelemetry Collector 0.102.1
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2024:3943 0 None None None 2024-06-17 09:24:28 UTC

Description Robb Gatica 2024-06-11 15:27:58 UTC 
The OpenTelemetry Collector offers a vendor-agnostic implementation on how to receive, process and export telemetry data. An unsafe decompression vulnerability allows unauthenticated attackers to crash the collector via excessive memory consumption. OTel Collector version 0.102.1 fixes this issue.  It is also fixed in the confighttp module version 0.102.0 and configgrpc module version 0.102.1.

https://github.com/open-telemetry/opentelemetry-collector/pull/10289
https://github.com/open-telemetry/opentelemetry-collector/pull/10323
https://github.com/open-telemetry/opentelemetry-collector/security/advisories/GHSA-c74f-6mfw-mm4v
https://opentelemetry.io/blog/2024/cve-2024-36129
Comment 2 errata-xmlrpc 2024-06-17 09:24:27 UTC 
This issue has been addressed in the following products:

  Red Hat Openshift distributed tracing 3.2

Via RHSA-2024:3943 https://access.redhat.com/errata/RHSA-2024:3943
Note You need to log in before you can comment on or make changes to this bug.