Summary OpenTelemetry Collector is used by the CP4D Scheduling Service for telemetry collection. CVE-2024-36129. Vulnerability Details CVEID:CVE-2024-36129 DESCRIPTION: OpenTelemetry OpenTelemetry Collector is vulnerable to a denial of service, caused by an unsafe decompression vulnerability. By sending a zip bomb or decompression bomb using a specially crafted HTTP or gRPC request, a remote attacker could exploit this vulnerability to cause a resource consumption. CWE:CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer CVSS Source: IBM X-Force CVSS Base score: 8.2 CVSS Vector:(CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H) Affected Products and Versions Affected Product(s)| Version(s) —|— IBM CloudPak for Data – Scheduling Service| 4.8.0 – 4.8.2 Remediation/Fixes Product(s)| Version(s)| Remediation/Fix/Instructions —|—|— IBM CloudPak for Data – Scheduling Service| 4.8.0 – 4.8.2| Download version 4.8.3 or higher and follow the upgrade instructions to resolve the issue. Workarounds and Mitigations…Read More
Security Bulletin: IBM CloudPak for Data Scheduling Service is vulernable to CVE-2024-36129.
