## SumoLogic Collector v0.108.0-1649 Exposes Windows Containers to Multiple Critical Vulnerabilities
A standard installation of the SumoLogic OpenTelemetry Collector version 0.108.0-1649 in a Windows container introduces multiple, documented security vulnerabilities. A user report on GitHub, accompanied by a Trivy scan, reveals the collector package pulls in dependencies with at least four specific CVEs, including CVE-2024-0406, CVE-2024-34156, CVE-2024-34155, and CVE-2024-34158. This creates a direct security exposure for any enterprise environment deploying this version within a containerized Windows Server Core (LTSC 2019) infrastructure using the official SumoLogic installation script.

The vulnerability findings are not theoretical; they are reproducible. Following the documented steps—building a container from the Microsoft base image, installing the collector via the official PowerShell script, and scanning with the Trivy CLI—consistently flags these vulnerabilities. This indicates the security flaws are embedded within the distributed collector package or its dependencies, not a result of misconfiguration. The presence of these CVEs in a core observability tool, designed to ingest sensitive log and metric data, significantly raises the attack surface for organizations that rely on it.

The immediate implication is that any team using this specific version of the SumoLogic collector in a Windows container environment is likely operating a non-compliant and potentially exploitable asset. This places internal security and platform engineering teams under pressure to either find an immediate mitigation path, which the user explicitly requested but has not received, or to halt deployments. The situation prompts urgent scrutiny of software supply chain security for this widely used SaaS platform, as its official installation method is currently propagating known vulnerabilities into enterprise infrastructure.
---
- **Source**: GitHub Issues
- **Sector**: The Lab
- **Tags**: vulnerability, container-security, windows, supply-chain, observability
- **Credibility**: unverified
- **Published**: 2026-04-01 08:27:01
- **ID**: 44890
- **URL**: https://whisperx.ai/en/intel/44890