Skip to content

fix(SECURE-3323): exclude vulnerable obi/beyla.ebpf via noebpf build tag#6

Open
jace-son wants to merge 1 commit into
v1.15.0-mem-patchfrom
fix/SECURE-3323-obi-cve-2026-41433
Open

fix(SECURE-3323): exclude vulnerable obi/beyla.ebpf via noebpf build tag#6
jace-son wants to merge 1 commit into
v1.15.0-mem-patchfrom
fix/SECURE-3323-obi-cve-2026-41433

Conversation

@jace-son

@jace-son jace-son commented Jun 15, 2026
edited by atlassian Bot
Loading

Copy link
Copy Markdown

Summary

Excludes the vulnerable go.opentelemetry.io/obi (CVE-2026-41433, GHSA-8gmg-3w2q-65f4, High / CVSS 8.4) from the alloy binary via a new noebpf build tag, instead of upgrading obi.

Ref: SECURE-3323

⚠️ Draft — holding for security sign-off on direction. See the SECURE-3323 comment for the full analysis and alternatives considered. Not for merge until security confirms this approach (vs. risk-acceptance or a full obi+beyla+collector upgrade).

Why not just bump obi?

obi is tightly coupled to grafana/beyla/v3 (shared otelcfg types) and the otel-collector ecosystem. The fix is in obi v0.8.0 / grafana fork tag v1.20.0, but bumping obi alone breaks the build:

beyla/v3 v3.6.0 vs obi v1.20.0:
cfg.MaxQueueSize undefined (type *otelcfg.TracesConfig has no field MaxQueueSize)

A coupled bump (obi + beyla/v3 + collector) churns 240+ deps (collector v1.53 -> v1.55, contrib v0.147 -> v0.149). Upstream grafana/alloy main itself is still on a pre-fix obi (fork v1.18.4), so we'd be ahead of upstream.

Why this is safe

We don't use beyla.ebpf anywhere (no beyla/OBI references in ops-k8s; our alloy config only uses pyroscope.ebpf + xnet-exporter). The vulnerable Java-injection path is not reachable in our deployment.

The beyla.ebpf component already ships a noop placeholder (beyla_placeholder.go) for non-linux platforms. This PR makes the noebpf build tag select that placeholder on linux too, so obi + beyla/v3 drop out of the binary entirely. The component stays registered — configs still parse; enabling beyla.ebpf just logs a warning.

Changes

  • internal/component/beyla/ebpf/beyla_linux.go — add && !noebpf to build constraint
  • internal/component/beyla/ebpf/beyla_linux_test.go — same
  • internal/component/beyla/ebpf/beyla_placeholder.go — add || noebpf to build constraint
  • Dockerfile — add noebpf to GO_TAGS

Verification

go list -deps (collector module):
  baseline:  122 obi/beyla packages
  noebpf:      0 obi/beyla packages

beyla.ebpf file selection:
  linux/amd64, no tag   -> beyla_linux.go       (unchanged behavior)
  linux/amd64, noebpf   -> beyla_placeholder.go (obi excluded)
  darwin                -> beyla_placeholder.go (unchanged behavior)
  • Build-constraint pair verified complementary (exactly one file active per config; args.go shared by both).
  • beyla.ebpf package compiles with and without the tag.
  • Full local binary link is blocked by unrelated CGO/Oracle (godror) + pyroscope/ebpf env issues that reproduce identically on the baseline — not introduced by this change.

🤖 Generated with Claude Code

@jace-son
fix(SECURE-3323): exclude vulnerable obi/beyla.ebpf via noebpf build tag
46e7aa0 
go.opentelemetry.io/obi (CVE-2026-41433, GHSA-8gmg-3w2q-65f4, High/CVSS
8.4) has a path-traversal / symlink-clobber flaw in the Java agent
injection path. The deployed alloy image (grafana/alloy:v1.15.0-mem-patch-v1)
pulls obi via a replace directive to grafana fork commit e31c5ac
(2026-03-18), which predates the fix (upstream obi v0.8.0, 2026-04-16 /
fork tag v1.20.0).

A straight obi bump is not viable: obi is tightly coupled to
grafana/beyla/v3 (shared otelcfg types) and the otel-collector ecosystem,
so bumping obi alone breaks the build (beyla/v3 v3.6.0 vs obi v1.20.0
otelcfg.TracesConfig.MaxQueueSize removal) and a coupled bump churns 240+
deps across collector v1.53->v1.55.

We do not use beyla.ebpf anywhere (no beyla/OBI references in ops-k8s;
alloy config only uses pyroscope.ebpf + xnet-exporter), so the vulnerable
code is not reachable. Introduce a `noebpf` build tag that swaps the
beyla.ebpf component to its existing noop placeholder, removing obi and
beyla/v3 from the build entirely (go list -deps: 122 -> 0 obi/beyla
packages). The component stays registered, so configs still parse; using
it logs a warning. Enable the tag in Dockerfile GO_TAGS.

Ref: SECURE-3323
@jace-son jace-son marked this pull request as ready for review June 15, 2026 11:40
jinsekim
jinsekim approved these changes Jun 15, 2026
View reviewed changes

@jinsekim jinsekim left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM!

@jinsekim jinsekim added the auto-review/approved Auto-approved by pr-approver label Jun 15, 2026
jinsekim
jinsekim approved these changes Jun 15, 2026
View reviewed changes

@jinsekim jinsekim left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jinsekim jinsekim jinsekim approved these changes

Assignees

No one assigned

Labels

auto-review/approved Auto-approved by pr-approver

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@jace-son @jinsekim