chp32
commented
8 months ago My security team raised this same impediment. This is blocking us from deploying OTel.
Open karthik300300 opened 9 months ago
chp32
commented
8 months ago My security team raised this same impediment. This is blocking us from deploying OTel.
mendezp9916
commented
7 months ago Hello, any status or update on this issue. This is a key blocker/impediment for my team to continue our effort to deploy OTel as part of our Observability strategy.
rickbansal-mulesoft
commented
7 months ago Thanks for bringing this to my attention. I will look into it and get back to you.
On Fri, Feb 9, 2024 at 1:24 PM mendezp9916 @.***> wrote:
Hello, any status or update on this issue. This is a key blocker/impediment for my team to continue our effort to deploy OTel as part of our Observability strategy.
— Reply to this email directly, view it on GitHub https://github.com/rickbansal-mulesoft/otel-mule4-observability-agent/issues/13#issuecomment-1936480112, or unsubscribe https://github.com/notifications/unsubscribe-auth/AKKKJI72MWS3KGB3MYPWTYLYSZZWRAVCNFSM6AAAAABBK27QTGVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTSMZWGQ4DAMJRGI . You are receiving this because you are subscribed to this thread.Message ID: <rickbansal-mulesoft/otel-mule4-observability-agent/issues/13/1936480112@ github.com>
mendezp9916
commented
7 months ago Awesome. thank you for the very much for the super fast response. This is a great capability whereby we are integrating 3rd party systems with our observability tool via OTEL. It appears many companies are trying to do the same
mendezp9916
commented
7 months ago Hello Rick, just checking if there is any idea on this vulnerability issue and it's resolution?
mendezp9916
commented
5 months ago Hello Rick, any update on this vulnerability issues? Prioritized for resolution?
donutinfantry
commented
2 months ago Hello Rick. We were flagged with the same vulnerability. Any update? Thanks!
We are seeing one high severity and one low severity vulnerability on our veracode scan as mentioned below for which we would like to check if there are any recommendations or possible fixes in the upcoming versions.
Severity -> High
Category -> Information leakage
Description -> Improper Restriction of XML External Entity Reference (CWE ID 611)(1 flaw) The product processes an XML document that can contain XML entities with URLs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output. By default, the XML entity resolver will attempt to resolve and retrieve external references. If attacker-controlled XML can be submitted to one of these functions, then the attacker could gain access to information about an internal network, local filesystem, or other sensitive data. This is known as an XML eXternal Entity (XXE) attack.
Recommendations -> Configure the XML parser to disable external entity resolution.
Module -> otel-mule4-observability-agent1.3.0-mule-plugin.jar
location -> .../MuleConnectorConfigStore.java 100
=======
Severity-> Low
Category-> Code quality
Description-> Use of Wrong Operator in String Comparison Using '==' to compare two strings for equality or '!=' for inequality actually compares the object references rather than their values. It is unlikely that this reflects the intended application logic. Code quality issues stem from failure to follow good coding practices and can lead to unpredictable behavior. These may include but are not limited to:
Recommendations-> Use the equals() method to compare strings, not the '==' or '!=' operator
Module -> otel-mule4-observability-agent1.3.0-mule-plugin.jar
location -> .../MuleConnectorConfigStore.java 126 .../MuleConnectorConfigStore.java 126