Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

CVE-2024-7254 for protobuf-java-3.23.4.jar which is from io.opentelemetry.proto:opentelemetry-proto:jar:1.3.2-alpha:runtime #19

Closed
patpatpat123 opened this issue Oct 28, 2024 · 16 comments

Comments

@patpatpat123
Copy link

Hello team,

First of all, since this is my first post here, just wanted to say thank you for this cool project.
I would like to reach out to report an issue.
We are using a springboot like java project, and even with the latest as of this writing (3.4.0-RC1) it seems there is an issue.

Our company runs regular daily scans (sonarqube, black duck, owasp dependency check, etc) and there is something that keeps being flagged:

[INFO] +- io.micrometer:micrometer-registry-otlp:jar:1.14.0-RC1:compile
[INFO] |  \- io.opentelemetry.proto:opentelemetry-proto:jar:1.3.2-alpha:runtime
[INFO] |     \- com.google.protobuf:protobuf-java:jar:3.23.4:runtime
[WARNING] 
One or more dependencies were identified with known vulnerabilities in project:
protobuf-java-3.23.4.jar (pkg:maven/com.google.protobuf/[email protected], cpe:2.3:a:google:protobuf-java:3.23.4:*:*:*:*:*:*:*, cpe:2.3:a:protobuf:protobuf:3.23.4:*:*:*:*:*:*:*) : CVE-2024-7254
See the dependency-check report for more details.

Could you please help get the correct dependency to fix this vulnerability?

Thank you for your help

@Kielek
Copy link

Kielek commented Oct 28, 2024

@patpatpat123, please check #16

@breedx-splk, FYI

@arminru
Copy link
Member

arminru commented Nov 5, 2024

@Kielek should we transfer this issue to https://github.com/open-telemetry/opentelemetry-proto-java?

@Kielek
Copy link

Kielek commented Nov 5, 2024

@arminru, I think that it is good idea.
I have pinged @breedx-splk once more time.

@arminru arminru transferred this issue from open-telemetry/opentelemetry-proto Nov 5, 2024
@breedx-splk
Copy link
Contributor

@patpatpat123 we have been using 4.28.2 for a couple months (see here)...but our release is a couple months out of date. The next release should resolve this.

I'll ping the maintainers to see if we can cut a release soon.

@breedx-splk
Copy link
Contributor

@patpatpat123 It looks like this repo is not so much intended for 3rd party use, but is instead mostly used for testing within the otel java components themselves. As such, we can't guarantee a release date or schedule.

If you need a new build of the proto bindings, it shouldn't be too much effort to build them yourself from the original .proto definitions.

@Kielek
Copy link

Kielek commented Nov 7, 2024

@breedx-splk, could you please document it in readme?
We have received requests in .NET that we should create production-ready packages. One of the reason was that the Java has it.

@trask
Copy link
Member

trask commented Nov 7, 2024

@Kielek are you looking for something more than this?

## Support
The generated java bindings published from this repository are provided as-is.
For generic documentation on how to use protobuf bindings,
see [gRPC documentation](https://grpc.io/docs/languages/java/generated-code/)
and [protobuf java documentation](https://protobuf.dev/reference/java/java-generated/).
We have no intention of eventually publishing stable artifacts. If you need guarantees,
please generate your own bindings,
consulting [grpc codegen](https://grpc.io/docs/languages/java/generated-code/#codegen) and
possibly [build.gradle.kts](build.gradle.kts)

@patpatpat123
Copy link
Author

Thank you guys for transferring this ticket to the correct repo. Hope this will make things move forward

@Kielek
Copy link

Kielek commented Nov 8, 2024

@trask, I missed it somehow. Thanks for highlighting it.

@breedx-splk
Copy link
Contributor

breedx-splk commented Nov 8, 2024

Given #20, I'm going to close this. Please reopen if this discussion needs to continue. Thanks!

@patpatpat123
Copy link
Author

Hello team, sorry for the ping, but I do not understand, sorry about that.

The CVE is still relevant.

And here is the dependency chain of the CVE:

[INFO] +- io.micrometer:micrometer-registry-otlp:jar:1.14.0-RC1:compile
[INFO] |  \- io.opentelemetry.proto:opentelemetry-proto:jar:1.3.2-alpha:runtime
[INFO] |     \- com.google.protobuf:protobuf-java:jar:3.23.4:runtime

May I ask what was actually fixed?

Do we have a new version of io.opentelemetry.proto:opentelemetry-proto:jar which is pulling something safer than com.google.protobuf:protobuf-java:jar:3.23.4:runtime ?

Thank you

@trask
Copy link
Member

trask commented Nov 9, 2024

hi @patpatpat123, unfortunately it looks like this artifact io.micrometer:micrometer-registry-otlp didn't follow our guidance:

We have no intention of eventually publishing stable artifacts. If you need guarantees, please generate your own bindings, consulting grpc codegen and possibly build.gradle.kts

@GFriedrich
Copy link

hi @trask,
are you aware that this library is actually even used by OpenTelemetry itself e.g. via this repository: https://github.com/open-telemetry/opentelemetry-collector-contrib
Are the maintainers over there aware of your decision here?

@trask
Copy link
Member

trask commented Nov 12, 2024

@GFriedrich
Copy link

@trask sorry, that was my mistake - it was the wrong contrib repository.
This is the right one: https://github.com/open-telemetry/opentelemetry-java-contrib

@trask
Copy link
Member

trask commented Nov 21, 2024

1.4.0 has been released

please note that this artifact is still marked -alpha and our recommendation is not to use it in production since we can't guarantee binary compatibility of the codegen classes across releases

we haven't yet decided what to do about the two (alpha) -java-contrib modules that are using it today

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

6 participants