opentelemetry-ebpf-profiler: Unprivileged process can trigger a denial of service on the ebpf-profiler agent
Description
Summary
An unprivileged process can easily trigger the processPIDEvents goroutine to be blocked indefinitely, preventing the goroutine from analyzing any new ELF file. The goroutine stays blocked in the openat2 syscall forever and the profiler can no longer work properly, it is a denial of service.
Impact
The impact is limited to denial-of-service on the ebpf-profiler agent: - There has to be a malicious workload albeit unprivileged. - No exfiltration of data. No loss of data.
Fix
Fixed in https://github.com/open-telemetry/opentelemetry-ebpf-profiler/commit/234b685cab31c2cb2f79e966caeab168bcc489e4.
Fix is part of v.0.0.202622.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
go.opentelemetry.io/ebpf-profilerGo | >= 0.0.202527, < 0.0.202622 | 0.0.202622 |
Affected products
1- Range: <=0.0.0-dev
Patches
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- github.com/advisories/GHSA-f2r5-5m7w-p5cxghsaADVISORY
- github.com/open-telemetry/opentelemetry-ebpf-profiler/commit/234b685cab31c2cb2f79e966caeab168bcc489e4ghsaWEB
- github.com/open-telemetry/opentelemetry-ebpf-profiler/releases/tag/v0.0.202622ghsaWEB
- github.com/open-telemetry/opentelemetry-ebpf-profiler/security/advisories/GHSA-f2r5-5m7w-p5cxghsaWEB
News mentions
0No linked articles in our index yet.