From 888fddb45765e307059095370ba022dacacc4b6d Mon Sep 17 00:00:00 2001 From: Pablo Baeyens Date: Thu, 27 Jun 2024 17:00:58 +0200 Subject: [PATCH] Address feedback from review --- .../blog/2024/hardening-the-collector-one.md | 25 +++++++++++++------ 1 file changed, 18 insertions(+), 7 deletions(-) diff --git a/content/en/blog/2024/hardening-the-collector-one.md b/content/en/blog/2024/hardening-the-collector-one.md index f7ccf8757c59..9e11a2dd9e0d 100644 --- a/content/en/blog/2024/hardening-the-collector-one.md +++ b/content/en/blog/2024/hardening-the-collector-one.md @@ -10,16 +10,20 @@ sig: Collector SIG --- The OpenTelemetry Collector recently went through a security audit sponsored by -the [CNCF](https://www.cncf.io/). As part of this process we recently published -a security advisory related to a [DoS vulnerability](/blog/2024/cve-2024-36129/) -that was +the [CNCF](https://www.cncf.io/), facilitated by [OSTIF](https://ostif.org/), +and performed by [7ASecurity](https://7asecurity.com/). As part of this process +we recently published a security advisory related to a +[DoS vulnerability](/blog/2024/cve-2024-36129/) that was [fully addressed in v0.102.1](https://github.com/open-telemetry/opentelemetry-collector/releases/tag/v0.102.1). The security audit also motivated us to think about ways to harden official -Collector builds and have a more secure default configuration. We are -[actively][releases-586] [working][core-10469] [on several changes][core-10470] -to achieve this and we will be publishing a series of blog posts to keep the -community informed. +Collector builds and have a more secure default configuration. We are working on +adopting [several][releases-586] [best][core-10469] [practices][core-10470] that +were recommended in the audit to achieve this and we will be publishing a series +of blog posts to keep the community informed. While we expect the report to be +made public soon, we can already say that we are very satisfied with the +confirmation that the Collector has proven to be very secure, highlighting the +secure coding practices and processes we already have in place. One of the changes we have recently been working on is changing the default bind address for Collector servers, such as those exposed by receivers or extensions @@ -117,6 +121,13 @@ gate so you can work on addressing this at your own pace. This feature gate will be marked as stable in a future Collector release, so we recommend addressing this as soon as possible. +## What's next? + +As we work on adopting the best practices recommended by the security audit, we +will be publishing more blog posts to keep the community informed. This will +include hardening the Collector binaries on macOS and further improving the +default behavior of Collector servers. Stay tuned! + [helm-chart]: https://github.com/open-telemetry/opentelemetry-helm-charts?tab=readme-ov-file#opentelemetry-collector [feature-gate]: