Skip to content

Commit

Permalink
removed broken link, smaller tweaks
Browse files Browse the repository at this point in the history
Signed-off-by: Juraci Paixão Kröhling <[email protected]>
  • Loading branch information
jpkrohling committed Jun 5, 2024
1 parent adfab58 commit d37a1d4
Showing 1 changed file with 4 additions and 4 deletions.
8 changes: 4 additions & 4 deletions content/en/blog/2024/cve-2024-36129/index.md
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,7 @@ author:
'[Juraci Paixão Kröhling](https://github.com/jpkrohling) (OpenTelemetry,
Grafana Labs), [Pablo Baeyens](https://github.com/mx-psi) (OpenTelemetry,
Datadog)'
cSpell:ignore: confighttp Baeyens OSTIF zstd configgrpc Miroslav Stampar
cSpell:ignore: Baeyens configgrpc confighttp Miroslav OSTIF Stampar zstd
---

On our path toward graduation, the OpenTelemetry project is currently undergoing
Expand All @@ -20,7 +20,7 @@ On 31 May 2024, we received
[a more serious report](https://github.com/open-telemetry/opentelemetry-collector/security/advisories/GHSA-c74f-6mfw-mm4v):
a malicious user could cause a denial of service (DoS) when using a specially
crafted HTTP or gRPC request. The advisory was assigned the following CVE
identifier: [CVE-2024-36129](https://nvd.nist.gov/vuln/detail/CVE-2024-36129).
identifier: CVE-2024-36129.

When sending an HTTP request with a compressed payload, the Collector would
verify only whether the compressed payload is beyond a certain limit, but not
Expand Down Expand Up @@ -52,7 +52,7 @@ right after that.
You are affected by this vulnerability if you have an OpenTelemetry Collector
with one or more HTTP or gRPC receivers on a public port, such as the OTLP
Receiver with the “HTTP” or “gRPC” protocol enabled (typically on ports 4318 and
4317, respectively) AND the receiver has version 0.101.0 or below. The
4317, respectively) AND the receiver has version 0.102.0 or below. The
vulnerability is exploitable only by attackers who can send payloads to your
HTTP/gRPC endpoint(s).

Expand All @@ -64,7 +64,7 @@ gRPC, the exploitable code is executed before authentication.

If you manage a Collector that has an interface to the public internet, you
should upgrade it as soon as feasible, and consider setting the parameter
“MaxRequestBodySize” on HTTP receivers, such as the OTLP receiver, to a value
`max_request_body_size` on HTTP receivers, such as the OTLP receiver, to a value
that makes sense to your workload. Up to v0.101.0, this setting applied only to
the payload size sent by the client, which could often be compressed.

Expand Down

0 comments on commit d37a1d4

Please sign in to comment.