Security Bulletin: IBM Observability with Instana (OnPrem) is affected by multiple security vulnerabilities

Summary Multiple vulnerabilities were remediated in IBM Observability with Instana OnPrem build 283 Vulnerability Details CVEID:CVE-2022-40897 DESCRIPTION: Pypa Setuptools is vulnerable to a denial of service, caused by improper input validation. By sending request with a specially crafted regula...

Security Bulletin: IBM Observability with Instana for Self-Hosted Standard Edition is affected by Multiple Security Vulnerabilities

Summary Multiple vulnerabilities were remediated in IBM Observability with Instana for Self-Hosted Standard Edition 281. Vulnerability Details CVEID:CVE-2022-41722 DESCRIPTION: Golang Go could allow a remote attacker to traverse directories on the system, caused by a flaw in the filepath.Clean...

Security Bulletin: IBM Observability with Instana for Self-Hosted Standard Edition is affected by multiple Vulnerabilities

Summary Multiple vulnerabilities were remediated in IBM Observability with Instana for Self-Hosted Standard Edition 281 CVE-2024-24790, CVE-2023-24538, CVE-2023-24540, CVE-2022-1996 Vulnerability Details CVEID:CVE-2024-24790 DESCRIPTION: An unspecified error related to various Is methods IsPrivat...

Moderate: Red Hat Security Advisory: Cluster Observability Operator 0.4.1

The Cluster Observability Operator is a Kubernetes operator which enables the management of Monitoring/Alerting stacks through Kubernetes CRDs. Cluster Observability Operator Security Fixes: coo-prometheus-container: go-retryablehttp: url might write sensitive information to log file coo-0...

Malicious code in @fdp-tools/observability (npm)

--- -= Per source details. Do not edit below this line.=- Source: ossf-package-analysis 3470fe72252929511b982b06c857fe2d4c8030b512a880c9bc15a088be17c838 The OpenSSF Package Analysis project identified '@fdp-tools/observability' @ 1.1.3 npm as malicious. It is considered malicious because: - The...

MAL-2024-9107 Malicious code in @fdp-tools/observability (npm)

--- -= Per source details. Do not edit below this line.=- Source: ossf-package-analysis 3470fe72252929511b982b06c857fe2d4c8030b512a880c9bc15a088be17c838 The OpenSSF Package Analysis project identified '@fdp-tools/observability' @ 1.1.3 npm as malicious. It is considered malicious because: - The...

Security Bulletin: IBM Instana Observability is vulnerable to SQL injection due to PostgreSQL driver and toolkit for Go, known as pgx.

Summary PostgreSQL driver and toolkit for Go, known as pgx is used by IBM Instana Observability Using third-party datastore Operators as part of the postgres operator CVE-2024-27304. This bulletin identifies the steps to take to address the vulnerability. Vulnerability Details CVEID:CVE-2024-2730...

Security Bulletin: IBM Observability with Instana using third-party Kubernetes Operators is affected by Multiple Security Vulnerabilities

Summary Multiple vulnerabilities were remediated in IBM Observability with Instana using third-party Kubernetes Operators build 281 Vulnerability Details CVEID:CVE-2023-38545 DESCRIPTION: libcurl and cURL are vulnerable to a heap-based buffer overflow, caused by the improper handling of hostnames...

ovirt-engine security update

4.5.5-1.21 - Fix external providers properties observability...

Security Bulletin: IBM Instana Observability is affected by multiple vulnerabilities within Instana Agent container image

Summary Multiple vulnerabilities were remediated in IBM Observability with Instana within Instana Agent container image build 282 Vulnerability Details CVEID:CVE-2024-24790 DESCRIPTION: An unspecified error related to various Is methods IsPrivate, IsLoopback, etc did not work as expected for...

CVE-2024-34158 vulnerabilities

Vulnerabilities for packages: trivy, datadog-agent, restic-fips, caddy, crossplane-provider-azure-managedidentity, fulcio, http-echo, kube-bench, opa, ingress-nginx-controller, postgres-operator-fips, rabbitmq-messaging-topology-operator, kube-state-metrics, git-lfs, fq,...

Security Bulletin: IBM Observability with Instana (OnPrem) is affected by multiple security vulnerabilities

Summary Multiple vulnerabilities were remediated in IBM Observability with Instana OnPrem build 279 Vulnerability Details CVEID:CVE-2023-43804 DESCRIPTION: urllib3 could allow a remote authenticated attacker to obtain sensitive information, caused by a flaw with cookie request header not stripped...

Structured logging in Spring Boot 3.4

Logging is a long established part of troubleshooting applications and one of the three pillars of observability, next to metrics and traces. No one likes flying blind in production, and when incidents happen, developers are happy to have log files. Logs are often written out in a human-readable...

BIT-CILIUM-2024-42486 Cilium vulnerable to information leakage via incorrect ReferenceGrant update logic in Gateway API

Cilium is a networking, observability, and security solution with an eBPF-based dataplane. In versions on the 1.15.x branch prior to 1.15.8 and the 1.16.x branch prior to 1.16.1, ReferenceGrant changes are not correctly propagated in Cilium's GatewayAPI controller, which could lead to Gateway...

BIT-CILIUM-2024-42487 Cilium's Gateway API route matching order contradicts specification

Cilium is a networking, observability, and security solution with an eBPF-based dataplane. In the 1.15 branch prior to 1.15.8 and the 1.16 branch prior to 1.16.1, Gateway API HTTPRoutes and GRPCRoutes do not follow the match precedence specified in the Gateway API specification. In particular,...

BIT-CILIUM-OPERATOR-2024-42488 Cilium agent's race condition may lead to policy bypass for Host Firewall policy

Cilium is a networking, observability, and security solution with an eBPF-based dataplane. Prior to versions 1.14.14 and 1.15.8, a race condition in the Cilium agent can cause the agent to ignore labels that should be applied to a node. This could in turn cause CiliumClusterwideNetworkPolicies...

CVE-2024-42487 Cilium's Gateway API route matching order contradicts specification

Cilium is a networking, observability, and security solution with an eBPF-based dataplane. In the 1.15 branch prior to 1.15.8 and the 1.16 branch prior to 1.16.1, Gateway API HTTPRoutes and GRPCRoutes do not follow the match precedence specified in the Gateway API specification. In particular,...

CVE-2024-42368

A vulnerability was found in OpenTelemetry, specifically in the github.com/open-telemetry/opentelemetry-collector-contrib/extension/bearertokenauthextension. This flaw impacts anyone using the bearertokenauth server authenticator. Malicious clients with network access to the collector may perform...

CVE-2024-42368 open-telemetry has an Observable Timing Discrepancy

OpenTelemetry, also known as OTel, is a vendor-neutral open source Observability framework for instrumenting, generating, collecting, and exporting telemetry data such as traces, metrics, and logs. The bearertokenauth extension's server authenticator performs a simple, non-constant time string...

CVE-2024-42368

The CVE-2024-42368 issue affects the bearertokenauth server authenticator in OpenTelemetry Collector contributions. A timing-discrepancy arises from non-constant time string comparisons of bearer tokens, enabling a network-adjacent attacker to infer the configured token by measuring response time...