CVE-2024-42368

CVSS v3 6.5 MEDIUM

6.5^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 3.9 / Impact : 2.5

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact LOW

Availability Impact LOW

Scope UNCHANGED

O

penTelemetry, also known as OTel, is a vendor-neutral open source Observability framework for instrumenting, generating, collecting, and exporting telemetry data such as traces, metrics, and logs. The bearertokenauth extension's server authenticator performs a simple, non-constant time string comparison of the received & configured bearer tokens. This impacts anyone using the `bearertokenauth` server authenticator. Malicious clients with network access to the collector may perform a timing attack against a collector with this authenticator to guess the configured token, by iteratively sending tokens and comparing the response time. This would allow an attacker to introduce fabricated or bad data into the collector's telemetry pipeline. The observable timing vulnerability was fixed by using constant-time comparison in 0.107.0

References

Link	Resource
https://github.com/open-telemetry/opentelemetry-collector-contrib/commit/c9bd3eff0bb357d9c812a0d8defd3b09db95699a
https://github.com/open-telemetry/opentelemetry-collector-contrib/pull/34516
https://github.com/open-telemetry/opentelemetry-collector-contrib/security/advisories/GHSA-rfxf-mf63-cpqv

Configurations

No configuration.

History

14 Aug 2024, 02:07

Type	Values Removed	Values Added
New CVE

Information

Published : 2024-08-13 20:15

Updated : 2024-08-14 02:07

NVD link : CVE-2024-42368

Mitre link : CVE-2024-42368

CVE.ORG link : CVE-2024-42368

JSON object : View

Products Affected

No product.

CWE

CWE-208

Observable Timing Discrepancy

{"id": "CVE-2024-42368", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "[email protected]", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 2.5, "exploitabilityScore": 3.9}]}, "published": "2024-08-13T20:15:08.447", "references": [{"url": "https://github.com/open-telemetry/opentelemetry-collector-contrib/commit/c9bd3eff0bb357d9c812a0d8defd3b09db95699a", "source": "[email protected]"}, {"url": "https://github.com/open-telemetry/opentelemetry-collector-contrib/pull/34516", "source": "[email protected]"}, {"url": "https://github.com/open-telemetry/opentelemetry-collector-contrib/security/advisories/GHSA-rfxf-mf63-cpqv", "source": "[email protected]"}], "vulnStatus": "Awaiting Analysis", "weaknesses": [{"type": "Secondary", "source": "[email protected]", "description": [{"lang": "en", "value": "CWE-208"}]}], "descriptions": [{"lang": "en", "value": "OpenTelemetry, also known as OTel, is a vendor-neutral open source Observability framework for instrumenting, generating, collecting, and exporting telemetry data such as traces, metrics, and logs. The bearertokenauth extension's server authenticator performs a simple, non-constant time string comparison of the received & configured bearer tokens. This impacts anyone using the `bearertokenauth` server authenticator. Malicious clients with network access to the collector may perform a timing attack against a collector with this authenticator to guess the configured token, by iteratively sending tokens and comparing the response time. This would allow an attacker to introduce fabricated or bad data into the collector's telemetry pipeline. The observable timing vulnerability was fixed by using constant-time comparison in 0.107.0"}, {"lang": "es", "value": "OpenTelemetry, tambi\u00e9n conocido como OTel, es un framework de observabilidad de c\u00f3digo abierto, independiente del proveedor, para instrumentar, generar, recopilar y exportar datos de telemetr\u00eda, como seguimientos, m\u00e9tricas y registros. El autenticador del servidor de la extensi\u00f3n Bearertokenauth realiza una comparaci\u00f3n de cadenas de tiempo simple y no constante de los tokens de portador recibidos y configurados. Esto afecta a cualquiera que utilice el autenticador del servidor \"bearertokenauth\". Los clientes malintencionados con acceso a la red del recopilador pueden realizar un ataque de sincronizaci\u00f3n contra un recopilador con este autenticador para adivinar el token configurado, enviando tokens de forma iterativa y comparando el tiempo de respuesta. Esto permitir\u00eda a un atacante introducir datos falsos o incorrectos en el canal de telemetr\u00eda del recopilador. La vulnerabilidad de tiempo observable se solucion\u00f3 mediante el uso de comparaci\u00f3n de tiempo constante en 0.107.0"}], "lastModified": "2024-08-14T02:07:05.410", "sourceIdentifier": "[email protected]"}