Headline
Red Hat Security Advisory 2024-3943-03
Red Hat Security Advisory 2024-3943-03 - Red Hat OpenShift distributed tracing 3.2.1. Issues addressed include a denial of service vulnerability.
The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_3943.jsonRed Hat officially shut down their mailing list notifications October 10, 2023. Due to this, Packet Storm has recreated the below data as a reference point to raise awareness. It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis: Important: Red Hat OpenShift distributed tracing 3.2.1 operator containers security updateAdvisory ID: RHSA-2024:3943-03Product: Red Hat OpenShift distributed tracingAdvisory URL: https://access.redhat.com/errata/RHSA-2024:3943Issue date: 2024-06-17Revision: 03CVE Names: CVE-2024-36129====================================================================Summary: Red Hat OpenShift distributed tracing 3.2.1Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:Release of Red Hat OpenShift distributed tracing provides these changes:Security Fix(es):* opentelemetry-collector: denial of service via specially crafted HTTP or gRPC request (CVE-2024-36129)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2024-36129References:https://access.redhat.com/security/updates/classification/#importanthttps://bugzilla.redhat.com/show_bug.cgi?id=2291337https://issues.redhat.com/browse/TRACING-4344Related news
### Summary An unsafe decompression vulnerability allows unauthenticated attackers to crash the collector via excessive memory consumption. ### Details The OpenTelemetry Collector handles compressed HTTP requests by recognizing the Content-Encoding header, rewriting the HTTP request body, and allowing subsequent handlers to process decompressed data. It supports the gzip, zstd, zlib, snappy, and deflate compression algorithms. A "zip bomb" or "decompression bomb" is a malicious archive designed to crash or disable the system reading it. Decompression of HTTP requests is typically not enabled by default in popular server solutions due to associated security risks. A malicious attacker could leverage this weakness to crash the collector by sending a small request that, when uncompressed by the server, results in excessive memory consumption. During proof-of-concept (PoC) testing, all supported compression algorithms could be abused, with zstd causing the most significant impact. Compre...