Review fluentbitextension from security perspective #6721
Comments
|
See also related #6722 |
|
This is similar to what I posted in #6722 @open-telemetry/collector-contrib-approvers I think we have a dangerous functionality in fluentbitextension. It allows executing arbitrary commands with arbitrary parameters. Some possible ways we can reduce the risks:
A more radical approach if we do not think the above is sufficient:
|
|
This specially sensitive after the log4j CVE. I'll take a look at this extension and provide my feedback soon. |
@tigrannajaryan is this the right link? I don't see anything related there. |
Wrong link. It should be #6722 |
|
As discussed during the SIG meeting yesterday, the code owners are expected to present a design for making this component secure. If none is provided by 0.46.0, we'll place this component behind a feature gate, eventually removing it. @bogdandrutu also mentioned that, for the short-term, it might make sense to add a log entry when this component is constructed, stating that this component is under security review and that it should be used with caution. @dmitryax mentioned that he might work on this if the code owners aren't available. |
After many discussions it seems the community is leaning towards removing the components that execute subprocesses. As such, marking the fluentbit exception as deprecated. Fixes open-telemetry#6721
fluentbitextension allows executing flientbit executable and accepts the command line to execute.
This is potentially a security problem, especially coupled with upcoming remote configuration capabilities. We need to make sure the Collector cannot be compelled to execute arbitrary code.
The text was updated successfully, but these errors were encountered: