CVE-2024-42368

Name of the Vulnerable Software and Affected Versions OpenTelemetry versions prior to 0.107.0

Description OpenTelemetry is a vendor-neutral open source Observability framework for instrumenting, generating, collecting, and exporting telemetry data. The bearertokenauth extension's server authenticator performs a simple, non-constant time string comparison of the received and configured bearer tokens. This impacts anyone using the bearertokenauth server authenticator. Malicious clients with network access to the collector may perform a timing attack against a collector with this authenticator to guess the configured token, by iteratively sending tokens and comparing the response time. This would allow an attacker to introduce fabricated or bad data into the collector's telemetry pipeline.

Recommendations For versions prior to 0.107.0, upgrade to v0.107.0 or above to fix the observable timing vulnerability. As a temporary workaround, consider not exposing the receiver using bearertokenauth to network segments accessible by potential attackers. Alternatively, change the receiver to use a different authentication extension instead. Disable the receiver relying on bearertokenauth until a patch is applied.