High severityNVD Advisory· Published Jun 5, 2024· Updated Aug 2, 2024
OpenTelemetry Collector has a Denial of Service via Zip/Decompression Bomb sent over HTTP or gRPC
CVE-2024-36129
Description
The OpenTelemetry Collector offers a vendor-agnostic implementation on how to receive, process and export telemetry data. An unsafe decompression vulnerability allows unauthenticated attackers to crash the collector via excessive memory consumption. OTel Collector version 0.102.1 fixes this issue. It is also fixed in the confighttp module version 0.102.0 and configgrpc module version 0.102.1.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
go.opentelemetry.io/collector/config/confighttpGo | < 0.102.0 | 0.102.0 |
go.opentelemetry.io/collector/config/configgrpcGo | < 0.102.1 | 0.102.1 |
Affected products
56- osv-coords55 versionspkg:apk/chainguard/datadog-agentpkg:apk/chainguard/datadog-agent-core-integrationspkg:apk/chainguard/datadog-agent-core-integrations-fipspkg:apk/chainguard/datadog-agent-fakeintakepkg:apk/chainguard/datadog-agent-fakeintake-fipspkg:apk/chainguard/datadog-agent-fipspkg:apk/chainguard/datadog-agent-jmxpkg:apk/chainguard/datadog-agent-jmx-fipspkg:apk/chainguard/datadog-agent-oci-compatpkg:apk/chainguard/datadog-agent-oci-compat-fipspkg:apk/chainguard/datadog-agent-s6-overlaypkg:apk/chainguard/datadog-agent-s6-overlay-fipspkg:apk/chainguard/datadog-cluster-agentpkg:apk/chainguard/datadog-cluster-agent-fipspkg:apk/chainguard/datadog-cluster-agent-oci-compatpkg:apk/chainguard/datadog-cluster-agent-oci-compat-fipspkg:apk/chainguard/dogstatsdpkg:apk/chainguard/opentelemetry-collectorpkg:apk/chainguard/opentelemetry-collector-compatpkg:apk/chainguard/opentelemetry-collector-contribpkg:apk/chainguard/opentelemetry-collector-contrib-compatpkg:apk/chainguard/opentelemetry-collector-contrib-fipspkg:apk/chainguard/opentelemetry-collector-fipspkg:apk/chainguard/opentelemetry-collector-ocbpkg:apk/chainguard/opentelemetry-collector-ocb-fipspkg:apk/chainguard/tempopkg:apk/chainguard/tempo-clipkg:apk/chainguard/tempo-fipspkg:apk/chainguard/tempo-fips-clipkg:apk/chainguard/tempo-fips-querypkg:apk/chainguard/tempo-fips-vulturepkg:apk/chainguard/tempo-querypkg:apk/chainguard/tempo-vulturepkg:apk/wolfi/datadog-agentpkg:apk/wolfi/datadog-agent-core-integrationspkg:apk/wolfi/datadog-agent-fakeintakepkg:apk/wolfi/datadog-agent-jmxpkg:apk/wolfi/datadog-agent-oci-compatpkg:apk/wolfi/datadog-agent-s6-overlaypkg:apk/wolfi/datadog-cluster-agentpkg:apk/wolfi/datadog-cluster-agent-oci-compatpkg:apk/wolfi/dogstatsdpkg:apk/wolfi/opentelemetry-collectorpkg:apk/wolfi/opentelemetry-collector-compatpkg:apk/wolfi/opentelemetry-collector-contribpkg:apk/wolfi/opentelemetry-collector-contrib-compatpkg:apk/wolfi/opentelemetry-collector-ocbpkg:apk/wolfi/tempopkg:apk/wolfi/tempo-clipkg:apk/wolfi/tempo-querypkg:apk/wolfi/tempo-vulturepkg:bitnami/opentelemetry-collectorpkg:golang/go.opentelemetry.io/collector/config/configgrpcpkg:golang/go.opentelemetry.io/collector/config/confighttppkg:rpm/opensuse/alloy&distro=openSUSE%20Tumbleweed
< 7.54.0-r3+ 54 more
- (no CPE)range: < 7.54.0-r3
- (no CPE)range: < 7.54.0-r3
- (no CPE)range: < 7.54.0-r4
- (no CPE)range: < 7.54.0-r3
- (no CPE)range: < 7.54.0-r4
- (no CPE)range: < 7.54.0-r4
- (no CPE)range: < 7.54.0-r3
- (no CPE)range: < 7.54.0-r4
- (no CPE)range: < 7.54.0-r3
- (no CPE)range: < 7.54.0-r4
- (no CPE)range: < 7.54.0-r3
- (no CPE)range: < 7.54.0-r4
- (no CPE)range: < 7.54.0-r3
- (no CPE)range: < 7.54.0-r4
- (no CPE)range: < 7.54.0-r3
- (no CPE)range: < 7.54.0-r4
- (no CPE)range: < 7.54.0-r3
- (no CPE)range: < 0.102.1-r0
- (no CPE)range: < 0.102.1-r0
- (no CPE)range: < 0.102.0-r2
- (no CPE)range: < 0.102.0-r2
- (no CPE)range: < 0.101.0-r2
- (no CPE)range: < 0.102.1-r0
- (no CPE)range: < 0.102.1-r0
- (no CPE)range: < 0.102.1-r0
- (no CPE)range: < 2.5.0-r3
- (no CPE)range: < 2.5.0-r3
- (no CPE)range: < 2.6.0-r0
- (no CPE)range: < 2.6.0-r0
- (no CPE)range: < 2.6.0-r0
- (no CPE)range: < 2.6.0-r0
- (no CPE)range: < 2.5.0-r3
- (no CPE)range: < 2.5.0-r3
- (no CPE)range: < 7.54.0-r3
- (no CPE)range: < 7.54.0-r3
- (no CPE)range: < 7.54.0-r3
- (no CPE)range: < 7.54.0-r3
- (no CPE)range: < 7.54.0-r3
- (no CPE)range: < 7.54.0-r3
- (no CPE)range: < 7.54.0-r3
- (no CPE)range: < 7.54.0-r3
- (no CPE)range: < 7.54.0-r3
- (no CPE)range: < 0.102.1-r0
- (no CPE)range: < 0.102.1-r0
- (no CPE)range: < 0.102.0-r2
- (no CPE)range: < 0.102.0-r2
- (no CPE)range: < 0.102.1-r0
- (no CPE)range: < 2.5.0-r3
- (no CPE)range: < 2.5.0-r3
- (no CPE)range: < 2.5.0-r3
- (no CPE)range: < 2.5.0-r3
- (no CPE)range: < 0.102.1
- (no CPE)range: < 0.102.1
- (no CPE)range: < 0.102.0
- (no CPE)range: < 1.4.3-1.1
- Range: < 0.102.1
Patches
Vulnerability mechanics
References
7- github.com/advisories/GHSA-c74f-6mfw-mm4vghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2024-36129ghsaADVISORY
- github.com/open-telemetry/opentelemetry-collector/pull/10289ghsax_refsource_MISCWEB
- github.com/open-telemetry/opentelemetry-collector/pull/10323ghsax_refsource_MISCWEB
- github.com/open-telemetry/opentelemetry-collector/security/advisories/GHSA-c74f-6mfw-mm4vghsax_refsource_CONFIRMWEB
- opentelemetry.io/blog/2024/cve-2024-36129ghsax_refsource_MISCWEB
- pkg.go.dev/vuln/GO-2024-2900ghsaWEB
News mentions
0No linked articles in our index yet.