jaeger-client package contains a Buffer Overflow vulnerability.
kumachop2 opened this issue · 6 comments
Explanation
The jaeger-client package contains a Buffer Overflow vulnerability. The append function in udp_sender.js does not properly limit the number of spans being appended during a flush to ensure that they fit within the _maxSpanBytes buffer. An attacker can exploit this by appending a large number of spans during a flush, causing an EMSGSIZE error and ultimately a Denial of Service (DoS).
Detection
The application is vulnerable by using this component.
Recommendation
There is no non-vulnerable version of this component/package. We recommend investigating alternative components or a potential mitigating control.
Root Cause
jaeger-client.3.19.0[3.14.3, )
We don't use Jaeger over UDP.
Thank You for prompt response. Please do provide additional details so I can work with our security team for waiver. Also I do noticed jaeger client was removed in earlier version v0.18 if so why it is reporting. #445
OpenTelemetry's Jaeger export is still relying on the jaeger-client package (open-telemetry/opentelemetry-js#2618). This should hopefully be fixed soon.
As for our repository - this is the code that creates a Jaeger exporter: https://github.com/signalfx/splunk-otel-js/blob/main/src/tracing/options.ts#L192-L213
It sets the endpoint configuration option, if this option is set OpenTelemetry switches to Jaeger HTTP sender: https://github.com/open-telemetry/opentelemetry-js/blob/main/packages/opentelemetry-exporter-jaeger/src/jaeger.ts#L134
So our distro does not hit the UDP code path.
Hopefully once the issue in OTel is resolved, vulnerability detection tools will stop reporting it. But in our case it is not a vulnerability unless users explicitly pass in a Jaeger UDP exporter via advanced config.
Is there a link to this report anywhere? Would be nice to see the details.
Jaeger exporter will be removed in an upcoming 2.0 release.