Smartincostello

**Name of the Vulnerable Software and Affected Versions** OpenTelemetry.Exporter.Instana (affected versions not specified) **Description** The `OpenTelemetry.Exporter.Instana` NuGet package fails to validate HTTPS/TLS certificates when sending telemetry to an Instana back-end if a proxy is configured via the `INSTANA ENDPOINT PROXY` environment variable. The `Transport.ConfigureBackendClient()` function creates an `HttpClient` instance that disables TLS server certificate validation. This allows a network attacker to perform a Man-in-the-Middle (MitM) attack—a technique where an attacker intercepts communication between two parties—to expose all OpenTelemetry telemetry data and the Instana API key. **Recommendations** Do not configure the `INSTANA ENDPOINT PROXY` environment variable. As a temporary workaround, restrict the use of the `INSTANA ENDPOINT PROXY` environment variable to trusted environments only.

**Name of the Vulnerable Software and Affected Versions** OpenTelemetry.Resources.Azure versions prior to 1.15.0-beta.2 **Description** The `AzureVmMetaDataRequestor()` function makes HTTP requests to the Azure VM instance metadata service and reads the response body into memory without a size limit. An attacker who controls the configured endpoint or intercepts traffic via a man-in-the-middle attack can return an arbitrarily large response body. This leads to unbounded heap allocation, causing high transient memory pressure, garbage-collection stalls, or an `OutOfMemoryException` that terminates the process, resulting in a Denial of Service (DoS). **Recommendations** Update to version 1.15.0-beta.2 or later. Disable the Azure VM resource detector. Use network-level controls such as firewall rules, mTLS, or a service mesh to prevent man-in-the-middle attacks on the Azure VM instance metadata endpoint.

**Name of the Vulnerable Software and Affected Versions** OpenTelemetry.Exporter.OneCollector versions prior to 1.15.1 **Description** When exporting telemetry to a back-end or collector over HTTP, the `HttpJsonPostTransport` class reads the entire response body into memory without an upper bound if the request results in an unsuccessful HTTP 4xx or 5xx response. An attacker who controls the configured endpoint or intercepts traffic via a man-in-the-middle attack can return an arbitrarily large response body. This leads to unbounded heap allocation, causing high transient memory pressure, garbage-collection stalls, or an OutOfMemoryException that terminates the process, resulting in a denial-of-service condition. **Recommendations** Update to version 1.15.1. Use network-level controls such as firewall rules, mTLS, or a service mesh to prevent man-in-the-middle attacks on the configured back-end or collector endpoint.

**Name of the Vulnerable Software and Affected Versions** OpenTelemetry.Api versions 0.5.0-beta.2 through 1.15.2 OpenTelemetry.Extensions.Propagators versions 1.3.1 through 1.15.2 **Description** Implementation details of the baggage, B3, and Jaeger processing code in the OpenTelemetry.Api and OpenTelemetry.Extensions.Propagators NuGet packages can allocate excessive memory during parsing. This occurs because certain methods eagerly allocate intermediate arrays before applying size limits, and the `BaggagePropagator.Inject<T>()` function may fail to enforce length limits when injected baggage contains only one item. This behavior can lead to a denial of service (DoS) in the consuming application when processing excessively large or malformed propagation headers. The affected functions include `BaggagePropagator.Extract<T>()`, `BaggagePropagator.Inject<T>()`, `B3Propagator.Extract<T>()`, and `JaegerPropagator.Extract<T>()`. **Recommendations** Update OpenTelemetry.Api to version 1.15.3. Update OpenTelemetry.Extensions.Propagators to version 1.15.3. Configure appropriate HTTP request header limits. Disable baggage or trace propagation as a temporary workaround.