diff --git a/content/en/blog/2024/cve-2024-36129/index.md b/content/en/blog/2024/cve-2024-36129/index.md index e5dbec4af498..819e56362721 100644 --- a/content/en/blog/2024/cve-2024-36129/index.md +++ b/content/en/blog/2024/cve-2024-36129/index.md @@ -6,7 +6,7 @@ author: '[Juraci Paixão Kröhling](https://github.com/jpkrohling) (OpenTelemetry, Grafana Labs), [Pablo Baeyens](https://github.com/mx-psi) (OpenTelemetry, Datadog)' -cSpell:ignore: confighttp Baeyens OSTIF zstd configgrpc Miroslav Stampar +cSpell:ignore: Baeyens configgrpc confighttp Miroslav OSTIF Stampar zstd --- On our path toward graduation, the OpenTelemetry project is currently undergoing @@ -20,7 +20,7 @@ On 31 May 2024, we received [a more serious report](https://github.com/open-telemetry/opentelemetry-collector/security/advisories/GHSA-c74f-6mfw-mm4v): a malicious user could cause a denial of service (DoS) when using a specially crafted HTTP or gRPC request. The advisory was assigned the following CVE -identifier: [CVE-2024-36129](https://nvd.nist.gov/vuln/detail/CVE-2024-36129). +identifier: CVE-2024-36129. When sending an HTTP request with a compressed payload, the Collector would verify only whether the compressed payload is beyond a certain limit, but not @@ -52,7 +52,7 @@ right after that. You are affected by this vulnerability if you have an OpenTelemetry Collector with one or more HTTP or gRPC receivers on a public port, such as the OTLP Receiver with the “HTTP” or “gRPC” protocol enabled (typically on ports 4318 and -4317, respectively) AND the receiver has version 0.101.0 or below. The +4317, respectively) AND the receiver has version 0.102.0 or below. The vulnerability is exploitable only by attackers who can send payloads to your HTTP/gRPC endpoint(s). @@ -64,7 +64,7 @@ gRPC, the exploitable code is executed before authentication. If you manage a Collector that has an interface to the public internet, you should upgrade it as soon as feasible, and consider setting the parameter -“MaxRequestBodySize” on HTTP receivers, such as the OTLP receiver, to a value +`max_request_body_size` on HTTP receivers, such as the OTLP receiver, to a value that makes sense to your workload. Up to v0.101.0, this setting applied only to the payload size sent by the client, which could often be compressed.