#VU91596 Buffer overflow in OpenTelemetry Collector - CVE-2024-36129

Cybersecurity Help s.r.o.

Published: 2024-06-10

Vulnerability identifier: #VU91596

Vulnerability risk: High

CVSSv4.0: 6.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]

CVE-ID: CVE-2024-36129

CWE-ID: CWE-119

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
OpenTelemetry Collector
Other software / Other software solutions

Vendor: OpenTelemetry

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to a boundary error within the Zip/Decompression Bomb sent over HTTP or gRPC. A remote attacker can trigger memory corruption and cause a denial of service condition on the target system.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

OpenTelemetry Collector: 0.0.1 - 0.101.0

External links
https://github.com/open-telemetry/opentelemetry-collector/security/advisories/GHSA-c74f-6mfw-mm4v
https://github.com/open-telemetry/opentelemetry-collector/pull/10289
https://github.com/open-telemetry/opentelemetry-collector/pull/10323
https://opentelemetry.io/blog/2024/cve-2024-36129

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Splunk Enterprise update for third-party components

Buffer overflow in IBM App Connect Enterprise Certified Container

Buffer overflow in Red Hat OpenShift distributed tracing (RHOSDT) 3.2

Denial of service in Agent

Denial of service in OpenTelemetry Collector