CVE-2024-36129

Name of the Vulnerable Software and Affected Versions: OpenTelemetry Collector versions prior to 0.102.1 confighttp module versions prior to 0.102.0 configgrpc module versions prior to 0.102.1

Description: An unsafe decompression vulnerability allows unauthenticated attackers to crash the collector via excessive memory consumption. The OpenTelemetry Collector handles compressed HTTP requests by recognizing the Content-Encoding header, rewriting the HTTP request body, and allowing subsequent handlers to process decompressed data. A malicious attacker could leverage this weakness to crash the collector by sending a small request that, when uncompressed by the server, results in excessive memory consumption. The issue was confirmed through proof-of-concept testing, where all supported compression algorithms could be abused, with zstd causing the most significant impact.

Recommendations: For OpenTelemetry Collector versions prior to 0.102.1, update to version 0.102.1 or later. For confighttp module versions prior to 0.102.0, update to version 0.102.0 or later. For configgrpc module versions prior to 0.102.1, update to version 0.102.1 or later. As a temporary workaround, consider disabling support for decompressing client HTTP requests entirely or limit the size of the decompressed data that can be processed. Limiting the decompressed data size can be achieved by wrapping the decompressed data reader inside an io.LimitedReader, which restricts the reading to a specified number of bytes.