CVE-2024-36129 OpenTelemetry Collector has a Denial of Service via Zip/Decompression Bomb sent over HTTP or gRPC

2024-06-0517:26:13

CWE-119

GitHub_M

github.com

opentelemetry collector

denial of service

zip/decompression bomb

http

grpc

vulnerability

memory consumption

otel collector

confighttp module

configgrpc module

version 0.102.1

CVSS3

8.2

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

LOW

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H

AI Score

6.7

Confidence

Low

SSVC

Exploitation

poc

Automatable

yes

Technical Impact

partial

JSON

The OpenTelemetry Collector offers a vendor-agnostic implementation on how to receive, process and export telemetry data. An unsafe decompression vulnerability allows unauthenticated attackers to crash the collector via excessive memory consumption. OTel Collector version 0.102.1 fixes this issue. It is also fixed in the confighttp module version 0.102.0 and configgrpc module version 0.102.1.

CNA Affected

[
  {
    "vendor": "open-telemetry",
    "product": "opentelemetry-collector",
    "versions": [
      {
        "status": "affected",
        "version": "< 0.102.1"
      }
    ]
  }
]

ADP Affected

[
  {
    "cpes": [
      "cpe:2.3:a:opentelemetry:opentelemetry:*:*:*:*:*:*:*:*"
    ],
    "vendor": "opentelemetry",
    "product": "opentelemetry",
    "versions": [
      {
        "status": "affected",
        "version": "0",
        "lessThan": "0.102.1",
        "versionType": "custom"
      }
    ],
    "defaultStatus": "unknown"
  }
]