GHSA-f2r5-5m7w-p5cx
opentelemetry-ebpf-profiler: Unprivileged process can trigger a denial of service on the ebpf-profiler agent
Details
### Summary
An unprivileged process can easily trigger the `processPIDEvents` goroutine to be blocked indefinitely, preventing the goroutine from analyzing any new ELF file. The goroutine stays blocked in the `openat2` syscall forever and the profiler can no longer work properly, it is a denial of service.
### Impact
The impact is limited to denial-of-service on the ebpf-profiler agent: - There has to be a malicious workload albeit unprivileged. - No exfiltration of data. No loss of data.
### Fix
Fixed in https://github.com/open-telemetry/opentelemetry-ebpf-profiler/commit/234b685cab31c2cb2f79e966caeab168bcc489e4.
Fix is part of [v.0.0.202622](https://github.com/open-telemetry/opentelemetry-ebpf-profiler/releases/tag/v0.0.202622).
Are you affected?
Enter the version of the package you're using.
Affected packages
0.0.202527 Fixed in: 0.0.202622 go get go.opentelemetry.io/ebpf-profiler@v0.0.202622 References
- https://github.com/open-telemetry/opentelemetry-ebpf-profiler/security/advisories/GHSA-f2r5-5m7w-p5cx [WEB]
- https://github.com/open-telemetry/opentelemetry-ebpf-profiler/commit/234b685cab31c2cb2f79e966caeab168bcc489e4 [WEB]
- https://github.com/open-telemetry/opentelemetry-ebpf-profiler [PACKAGE]
- https://github.com/open-telemetry/opentelemetry-ebpf-profiler/releases/tag/v0.0.202622 [WEB]