CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
AI Score
Confidence
Low
The OpenTelemetry Collector running on the remote host is prior to 0.108.0. It is, therefore, affected by a timing discrepancy vulnerability, outlined below:
OpenTelemetry Collector module awsfirehosereceiver allows unauthenticated remote requests, even when configured to require a key.
OpenTelemetry Collector can be configured to receive CloudWatch metrics via an AWS Firehose Stream. Firehose sets the header X-Amz-Firehose-Access-Key with an arbitrary configured string. The OpenTelemetry Collector awsfirehosereceiver can optionally be configured to require this key on incoming requests. However, when this is configured it still accepts incoming requests with no key.
Note that Nessus has not tested for this issue but has instead relied only on the application’s self-reported version number.
#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
##
include('compat.inc');
if (description)
{
script_id(206657);
script_version("1.3");
script_set_attribute(attribute:"plugin_modification_date", value:"2024/09/06");
script_cve_id("CVE-2024-45043");
script_xref(name:"IAVB", value:"2024-B-0130");
script_name(english:"OpenTelemetry Collector < 0.108.0 Authentication Bypass");
script_set_attribute(attribute:"synopsis", value:
"An installed application on the remote host is affected by an authentication bypass vulnerability.");
script_set_attribute(attribute:"description", value:
"The OpenTelemetry Collector running on the remote host is prior to 0.108.0. It is, therefore, affected by a timing
discrepancy vulnerability, outlined below:
OpenTelemetry Collector module awsfirehosereceiver allows unauthenticated remote requests, even when configured to
require a key.
OpenTelemetry Collector can be configured to receive CloudWatch metrics via an AWS Firehose Stream. Firehose
sets the header X-Amz-Firehose-Access-Key with an arbitrary configured string. The OpenTelemetry Collector
awsfirehosereceiver can optionally be configured to require this key on incoming requests. However, when this is
configured it still accepts incoming requests with no key.
Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version
number.");
# https://github.com/open-telemetry/opentelemetry-collector-contrib/security/advisories/GHSA-prf6-xjxh-p698
script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?29b38fb6");
script_set_attribute(attribute:"solution", value:
"Upgrade to OpenTelemetry Collector 0.108.0 or later.");
script_set_attribute(attribute:"agent", value:"unix");
script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N");
script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N");
script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
script_set_attribute(attribute:"cvss_score_source", value:"CVE-2024-45043");
script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
script_set_attribute(attribute:"exploit_available", value:"false");
script_set_attribute(attribute:"vuln_publication_date", value:"2024/08/28");
script_set_attribute(attribute:"patch_publication_date", value:"2024/08/28");
script_set_attribute(attribute:"plugin_publication_date", value:"2024/09/05");
script_set_attribute(attribute:"plugin_type", value:"local");
script_set_attribute(attribute:"cpe", value:"x-cpe:/a:opentelemetry:collector");
script_set_attribute(attribute:"stig_severity", value:"II");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"Misc.");
script_copyright(english:"This script is Copyright (C) 2024 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_dependencies("opentelemetry_nix_installed.nbin");
script_require_keys("installed_sw/OpenTelemetry Collector");
exit(0);
}
include('vcf.inc');
var app_info = vcf::get_app_info(app:'OpenTelemetry Collector');
var constraints = [
{'min_version' : '0.49.0', 'fixed_version': '0.108.0'}
];
vcf::check_version_and_report(
app_info:app_info,
constraints:constraints,
severity:SECURITY_WARNING
);
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
AI Score
Confidence
Low