OpenTelemetry eBPF Instrumentation Privileged File Overwrite Vulnerability in Java Agent Injection

A vulnerability exists in OpenTelemetry eBPF Instrumentation versions 0.4.0 prior to 0.8.0, allowing local attackers to overwrite arbitrary host files. This issue arises when the Java agent injection is enabled and the OpenTelemetry Binary Instrumentation (OBI) is running with elevated privileges. The vulnerability is caused by the injector trusting the TMPDIR environment variable from the target process, which can be manipulated to escape filesystem boundaries and exploit symlink-based file clobbering. The flaw is fixed in version 0.8.0.

Impact

Exploitation of this vulnerability allows for arbitrary file overwriting on the host, potentially leading to a compromise of host integrity, disruption of services, and possible local privilege escalation, depending on the overwritten files and deployment specifics.

Reproduction

To reproduce this vulnerability, a Java process must be started with a controlled TMPDIR environment variable that points to an absolute path, such as '/etc' or a writable temp directory like '/tmp'. Once the process is injected with the OpenTelemetry Java agent, the injector will write the agent JAR file outside the intended directory, under the attacker's control. Alternatively, a symlink can be created at the expected destination before the injection occurs, allowing the injected process to overwrite the contents of the linked file.

Remediation

Users should upgrade to OpenTelemetry eBPF Instrumentation version 0.8.0, where this vulnerability has been fixed.