Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[CVE] CVE-2023-32731: Vulnerability in GRPC #2231

Closed
marcalff opened this issue Jul 12, 2023 · 3 comments
Closed

[CVE] CVE-2023-32731: Vulnerability in GRPC #2231

marcalff opened this issue Jul 12, 2023 · 3 comments
Labels
CVE Common Vulnerabilities and Exposures

Comments

@marcalff
Copy link
Member

Per:

gRPC - protobuf < 1.53.0 is vulnerable.

In opentelemetry-cpp, this affects the OTLP GRPC exporter.

Upgrade the build to support gRPC protobuf >= 1.53.0
@marcalff marcalff added the bug Something isn't working label Jul 12, 2023
@github-actions github-actions bot added the needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one. label Jul 12, 2023
@marcalff marcalff added CVE Common Vulnerabilities and Exposures and removed bug Something isn't working needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one. labels Jul 12, 2023
@marcalff marcalff mentioned this issue Jul 12, 2023
Merged
3 tasks
@esigo
Copy link
Member

esigo commented Jul 12, 2023

Do we need to remove C++11 earlier?

@esigo esigo added the triage/accepted Indicates an issue or PR is ready to be actively worked on. label Jul 12, 2023
@marcalff
Copy link
Member Author

I don't think we need to drop C++11, but at least we should document the risks with using the OTLP GRPC exporter.

Using different exporters should not expose the issue, so a C++11 build is still viable.

@marcalff
Copy link
Member Author

Fixed indirectly in opentelemetry-cpp 1.11.0 by PR #2163

Now that building with a more recent (non vulnerable) gRPC library is possible, the issue is resolved.

@marcalff marcalff removed the triage/accepted Indicates an issue or PR is ready to be actively worked on. label Aug 23, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
CVE Common Vulnerabilities and Exposures
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@marcalff @esigo