Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[receiver/jmxreceiver] Only accept versions of the JMX Metrics Gatherer jar or additional dependencies with known hashes #9687

Closed
dehaansa opened this issue May 2, 2022 · 1 comment
Closed

[receiver/jmxreceiver] Only accept versions of the JMX Metrics Gatherer jar or additional dependencies with known hashes #9687

dehaansa opened this issue May 2, 2022 · 1 comment
Assignees
@dehaansa

Comments

@dehaansa
Copy link
Contributor

dehaansa commented May 2, 2022
edited
Loading

Is your feature request related to a problem? Please describe.
This issue is a portion of the effort to reduce the potential security risks of running the JMX Metrics Gatherer as a separate executable.

Describe the solution you'd like
Hash the known & supported versions of the JMX Metrics Gatherer, then at runtime compare the hash of the found Jar from user input to that list of known hashes.

Also apply this to the "Additional Jars" parameter, which is currently only intended & required for Wildfly support. There are only 3 released versions of the relevant Jar so this should be straightforward.

Additional context
#6750
@dehaansa dehaansa changed the title [receiver/jmxreceiver] Only accept versions of the JMX Metrics Gatherer with known hashes [receiver/jmxreceiver] Only accept versions of the JMX Metrics Gatherer jar or additional dependencies with known hashes May 2, 2022
@dehaansa dehaansa mentioned this issue May 12, 2022
Merged
@djaglowski
Copy link
Member

Closed by #9985

This was referenced Jun 18, 2022
Merged
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@dehaansa dehaansa

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@dehaansa @djaglowski