CVE-2024-45043

Name of the Vulnerable Software and Affected Versions OpenTelemetry Collector versions prior to v0.108.0

Description The OpenTelemetry Collector module awsfirehosereceiver allows unauthenticated remote requests, even when configured to require a key. This module can be used to receive CloudWatch metrics via an AWS Firehose Stream, and it sets the header X-Amz-Firehose-Access-Key with an arbitrary configured string. However, when this key is configured, the module still accepts incoming requests with no key. There is a risk of unauthorized users writing metrics, and carefully crafted metrics could hide other malicious activity. It's likely that these endpoints will be exposed to the public internet, as Firehose does not support private HTTP endpoints.

Recommendations For OpenTelemetry Collector versions prior to v0.108.0, upgrade to version v0.108.0 or later to fix the vulnerability. As a temporary workaround, consider disabling the awsfirehosereceiver module until a patch is available. Restrict access to the vulnerable module to minimize the risk of exploitation. Avoid using the X-Amz-Firehose-Access-Key header in the affected API endpoint until the issue is resolved.