logo

Advisories

Weaknesses

Fixes

Requirements

Compliance

CVE-2024-42368 github.com/open-telemetry/opentelemetry-collector-contrib/extension/bearertokenauthextension

Package

Manager: go
Name: github.com/open-telemetry/opentelemetry-collector-contrib/extension/bearertokenauthextension
Vulnerable Version: >=0.80.0 <0.107.0

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N

EPSS: 0.00088 pctl0.26046

Details

open-telemetry has an Observable Timing Discrepancy ### Summary The bearertokenauth extension's server authenticator performs a simple, non-constant time string comparison of the received & configured bearer tokens. ### Details https://github.com/open-telemetry/opentelemetry-collector-contrib/blob/9128a9258fe1fee36f198f97b1e3371fc7b77a93/extension/bearertokenauthextension/bearertokenauth.go#L189-L196 For background on the type of vulnerability, see https://ropesec.com/articles/timing-attacks/. ### Impact This impacts anyone using the `bearertokenauth` server authenticator. Malicious clients with network access to the collector may perform a timing attack against a collector with this authenticator to guess the configured token, by iteratively sending tokens and comparing the response time. This would allow an attacker to introduce fabricated or bad data into the collector's telemetry pipeline. ### Fix The observable timing vulnerability was fixed by @axw in v0.107.0 (PR https://github.com/open-telemetry/opentelemetry-collector-contrib/pull/34516) by using constant-time comparison. ### Workarounds - upgrade to v0.107.0 or above, or, if you're unable to upgrade at this time, - don't expose the receiver using `bearertokenauth` to network segments accessible by potential attackers, or - change the receiver to use a different authentication extension instead, or - disable the receiver relying on `bearertokenauth`

Metadata

Created: 2024-08-13T18:59:32Z
Modified: 2024-08-13T21:57:31Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/08/GHSA-rfxf-mf63-cpqv/GHSA-rfxf-mf63-cpqv.json
CWE IDs: ["CWE-208"]
Alternative ID: GHSA-rfxf-mf63-cpqv
Finding: F063
Auto approve: 1