CVE-2024-45043: OpenTelemetry Collector module AWS Firehose Receiver Authentication Bypass Vulnerability
(updated )
OpenTelemetry Collector module awsfirehosereceiver allows unauthenticated remote requests, even when configured to require a key.
OpenTelemetry Collector can be configured to receive CloudWatch metrics via an AWS Firehose Stream. Firehose sets the header X-Amz-Firehose-Access-Key with an arbitrary configured string. The OpenTelemetry Collector awsfirehosereceiver can optionally be configured to require this key on incoming requests. However, when this is configured it still accepts incoming requests with no key.
References
- docs.aws.amazon.com/firehose/latest/dev/controlling-access.html
- docs.aws.amazon.com/firehose/latest/dev/httpdeliveryrequestresponse.html
- github.com/advisories/GHSA-prf6-xjxh-p698
- github.com/google/security-research/security/advisories/GHSA-q9wq-xc9h-xrw9
- github.com/open-telemetry/opentelemetry-collector
- github.com/open-telemetry/opentelemetry-collector-contrib
- github.com/open-telemetry/opentelemetry-collector-contrib/commit/371bf6afbd7cfa3253fa1674f5444064e86ef0ac
- github.com/open-telemetry/opentelemetry-collector-contrib/pull/34847
- github.com/open-telemetry/opentelemetry-collector-contrib/security/advisories/GHSA-prf6-xjxh-p698
- github.com/open-telemetry/opentelemetry-collector-contrib/tree/main/receiver/awsfirehosereceiver
- github.com/open-telemetry/opentelemetry-collector-releases/pull/74
- github.com/open-telemetry/opentelemetry-collector-releases/releases/tag/v0.108.0
- github.com/open-telemetry/opentelemetry-collector-releases/tree/main/distributions/otelcol-contrib
- nvd.nist.gov/vuln/detail/CVE-2024-45043
Detect and mitigate CVE-2024-45043 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →