13.5. What’s Fixed in 7.3.0 LTS
This section describes bugs fixed in Observability Framework 7.3.0 LTS. These are fixes applied since 7.2.0. For information on what was fixed in releases 7.0.0, 7.1.0, and 7.2.0, which are also part of 7.3.0 LTS, see Previous Releases.
Note
For what’s fixed in Monitoring Library 2.0, see the Connext Core Libraries Release Notes.
[Critical]: System-stopping issue, such as a crash or data loss.
[Major]: Significant issue with no easy workaround.
[Minor]: Issue that usually has a workaround.
[Trivial]: Small issue, such as a typo in a log.
13.5.1. Crashes
13.5.1.1. [Critical] Observability Collector Service could crash when an application was discovered
When Observability Collector Service discovers an application, Monitoring Library 2.0 sends a special sample with information about the discovered application, such as the logging configuration, process ID, and host name.
Normally, this information is sent in a single sample, but it could potentially be split into more than one sample. If, due to timing, the process ID or the host name was sent in a separate sample from the logging configuration, Observability Collector Service accessed a null pointer which led to a crash due to an invalid condition check.
[RTI Issue ID OCA-307]
13.5.2. Vulnerabilities
13.5.2.1. [Critical] Potential out of memory error when using Curl 8.1.2
Observability Collector Service had a third-party dependency on Curl 8.1.2, which is known to be affected by a number of publicly disclosed vulnerabilities. These vulnerabilities have been fixed by upgrading Curl to the latest stable version, 8.5.0.
13.5.2.1.1. User impact without security
This vulnerability impacts Connext 7.2.0 applications using Observability Collector Service, as follows:
Exploitable by streaming an endless series of headers to the application using Curl.
The application could run out of memory.
CVSS Base Score: 7.5 HIGH
CVSS v3.1 Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
13.5.2.1.2. User impact with security
Same as “User Impact without Security,” above.
[RTI Issue ID OCA-303]
13.5.2.2. [Critical] Potential deletion of HSTS data when using Curl 8.1.2
Observability Collector Service had a third-party dependency on Curl 8.1.2, which is known to be affected by a number of publicly disclosed vulnerabilities. These vulnerabilities have been fixed by upgrading Curl to the latest stable version, 8.5.0.
13.5.2.2.1. User impact without security
This vulnerability impacts Connext 7.2.0 applications using the Observability Collector Service, as follows:
When saving HSTS data to an excessively long file name, Curl could end up removing all contents.
Making subsequent requests using that file unaware of the HSTS status they should otherwise use.
CVSS Base Score: 5.3 MEDIUM
CVSS v3.1 Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
13.5.2.2.2. User impact with security
Same as “User Impact without Security,” above.
[RTI Issue ID OCA-324]