GHSA-f2r5-5m7w-p5cx
opentelemetry-ebpf-profiler: Unprivileged process can trigger a denial of service on the ebpf-profiler agent
상세
### Summary
An unprivileged process can easily trigger the `processPIDEvents` goroutine to be blocked indefinitely, preventing the goroutine from analyzing any new ELF file. The goroutine stays blocked in the `openat2` syscall forever and the profiler can no longer work properly, it is a denial of service.
### Impact
The impact is limited to denial-of-service on the ebpf-profiler agent: - There has to be a malicious workload albeit unprivileged. - No exfiltration of data. No loss of data.
### Fix
Fixed in https://github.com/open-telemetry/opentelemetry-ebpf-profiler/commit/234b685cab31c2cb2f79e966caeab168bcc489e4.
Fix is part of [v.0.0.202622](https://github.com/open-telemetry/opentelemetry-ebpf-profiler/releases/tag/v0.0.202622).
이 버전이 영향받나요?
사용 중인 패키지 버전을 입력하면 즉시 평가합니다.
영향 패키지
0.0.202527 수정 버전: 0.0.202622 go get go.opentelemetry.io/ebpf-profiler@v0.0.202622 참고
- https://github.com/open-telemetry/opentelemetry-ebpf-profiler/security/advisories/GHSA-f2r5-5m7w-p5cx [WEB]
- https://github.com/open-telemetry/opentelemetry-ebpf-profiler/commit/234b685cab31c2cb2f79e966caeab168bcc489e4 [WEB]
- https://github.com/open-telemetry/opentelemetry-ebpf-profiler [PACKAGE]
- https://github.com/open-telemetry/opentelemetry-ebpf-profiler/releases/tag/v0.0.202622 [WEB]