Implement workaround in accumulo-env.sh for OpenTelemetry CVE#6288
Implement workaround in accumulo-env.sh for OpenTelemetry CVE#6288dlmarion merged 3 commits intoapache:2.1from
Conversation
Added a system property in accumulo-env.sh to disable the RMI instrumentation of the OpenTelemetry Java Agent. See https://github.com/apache/accumulo/security/dependabot/25 for more information.
|
If #6289 is merged to main, then this change can be ignored in main |
ddanielr
left a comment
ddanielr
left a comment
There was a problem hiding this comment.
Why can't we just update the version of opentelemetry-bom to 1.60.1 and opentelemetry-javaagent to 2.26.1?
Are we stuck waiting on a new micrometer release?
We are constrained by the version of protobuf-java that we are dependent on in the 2.1.x line. |
keith-turner
left a comment
keith-turner
left a comment
There was a problem hiding this comment.
If #6289 is merged to main, then this change can be ignored in main
Would it cause any problems to leave those changes in main even if 6289 is merged? Seems like for something like rmi it should only be enabled if needed anyway.
Co-authored-by: Daniel Roberts <ddanielr@gmail.com>
I guess it doesn't hurt to leave it on the merge. There are likely a bunch of other options we are not specifying though, leaving this one option in could imply to the user that all other options are safe. |
That seems like a good reason to remove it in main, users should look at all the options when configuring it. |
3 participants
Added a system property in accumulo-env.sh to disable the RMI instrumentation of the OpenTelemetry Java Agent. See https://github.com/apache/accumulo/security/dependabot/25 for more information.