Описание
The OpenTelemetry Collector offers a vendor-agnostic implementation on how to receive, process and export telemetry data. An unsafe decompression vulnerability allows unauthenticated attackers to crash the collector via excessive memory consumption. OTel Collector version 0.102.1 fixes this issue. It is also fixed in the confighttp module version 0.102.0 and configgrpc module version 0.102.1.
A flaw was found in OpenTelemetry Collector. When sending an HTTP or gRPC request with a compressed payload, the Collector only verifies whether the compressed payload is beyond a certain limit but not its uncompressed version. This flaw allows an attacker using a specially crafted HTTP or gRPC request to trigger a denial of service.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat OpenShift distributed tracing 2 | rhosdt/jaeger-agent-rhel8 | Under investigation | ||
| Red Hat OpenShift distributed tracing 2 | rhosdt/jaeger-all-in-one-rhel8 | Under investigation | ||
| Red Hat OpenShift distributed tracing 2 | rhosdt/jaeger-collector-rhel8 | Under investigation | ||
| Red Hat OpenShift distributed tracing 2 | rhosdt/jaeger-es-index-cleaner-rhel8 | Under investigation | ||
| Red Hat OpenShift distributed tracing 2 | rhosdt/jaeger-es-rollover-rhel8 | Under investigation | ||
| Red Hat OpenShift distributed tracing 2 | rhosdt/jaeger-ingester-rhel8 | Under investigation | ||
| Red Hat OpenShift distributed tracing 2 | rhosdt/jaeger-query-rhel8 | Under investigation | ||
| Red Hat OpenShift distributed tracing 2 | rhosdt/opentelemetry-collector-rhel8 | Under investigation | ||
| Red Hat OpenShift distributed tracing 2 | rhosdt/tempo-query-rhel8 | Under investigation | ||
| Red Hat OpenShift distributed tracing 2 | rhosdt/tempo-rhel8 | Under investigation |
Показывать по
Дополнительная информация
Статус:
EPSS
8.2 High
CVSS3
Связанные уязвимости
The OpenTelemetry Collector offers a vendor-agnostic implementation on how to receive, process and export telemetry data. An unsafe decompression vulnerability allows unauthenticated attackers to crash the collector via excessive memory consumption. OTel Collector version 0.102.1 fixes this issue. It is also fixed in the confighttp module version 0.102.0 and configgrpc module version 0.102.1.
Denial of Service via Zip/Decompression Bomb sent over HTTP or gRPC
Уязвимость модулей confighttp и configgrpc программного обеспечения обработки данных телеметрии OpenTelemetry Collector, позволяющая нарушителю вызвать отказ в обслуживании
EPSS
8.2 High
CVSS3