search

aws-observability / aws-otel-collector

AWS Distro for OpenTelemetry Collector (see ADOT Roadmap at https://github.com/orgs/aws-observability/projects/4)
https://aws-otel.github.io/
Other
567 stars 237 forks source link

CVE-2024-36129 in upstream OTEL Collector #2744

Closed conor-naranjo closed 3 months ago

conor-naranjo commented 3 months ago

Describe the question A DoS vulnerability was identified in the upstream OTEL Collector as documented here: https://github.com/open-telemetry/opentelemetry-collector/security/advisories/GHSA-c74f-6mfw-mm4v https://opentelemetry.io/blog/2024/cve-2024-36129/

Is the AWS Distro affected by this issue and if so when can a patch downstream be expected?

E: I see the patches applied - when can they be expected in a release?: https://github.com/aws-observability/aws-otel-collector/commit/d5ff2179e05626814d02ae704a9a6da72115c7d7

Steps to reproduce if your question is related to an action N/A

What did you expect to see? N/A

Environment N/A

Additional context N/A

EAlf91 commented 3 months ago

the patch wouldn't resolve the problem but there is a PR already open: #2748

Aneurysm9 commented 3 months ago

The patch that was applied here does fix the problem and has been released with v0.39.1. Because this patch is backported scanning tools that only look to module versions may incorrectly report it as not fixed. #2748 will be followed by a v0.40.0 release that will allow scanning tools that only look to module versions to correctly report it as fixed.

I'd also like to take this time to remind everyone that reporting security concerns through public issues is not in alignment with our security policy or general best practices.