OpenTelemetry Exporter OpenTelemetryProtocol OTLP Disk Retry Directory Path Vulnerability Allowing Local Blob Injection

A vulnerability exists in the OpenTelemetry.Exporter.OpenTelemetryProtocol package, specifically in versions 1.8.0 prior to 1.15.2. The issue arises in the OTLP disk retry feature, which, when configured to use disk retries without a specified directory path, defaults to a temporary directory accessible to other local users. This behavior can be exploited on multi-user systems to inject, read, or manipulate blob files containing telemetry data, potentially leading to unauthorized disclosure of information, degradation of application performance, or excessive consumption of disk space.

Impact

Exploitation of this vulnerability allows for unauthorized injection of blob files into the application's retry mechanism, which are then sent to the configured OTLP endpoint. This could be used to manipulate telemetry data being reported. Additionally, an attacker could read blob files containing encoded telemetry data that the application was unable to export due to previous failures, recovering sensitive information such as spans, metric data points, or log records. The vulnerability also allows for resource exhaustion by creating numerous or oversized blob files, disrupting the application's retry process and consuming available disk space.

Reproduction

To reproduce this vulnerability, set the environment variable 'OTEL_DOTNET_EXPERIMENTAL_OTLP_RETRY' to 'disk' without specifying a directory path. This will cause the exporter to use the default temporary directory, such as '/tmp' on Linux or '%TEMP%' on Windows. Once the application is running, write crafted '*.blob' files into the 'traces', 'metrics', or 'logs' subdirectories within the temporary directory. After the application experiences a transient export failure, the next retry cycle will process the injected blob files and send them to the configured OTLP endpoint under the application's identity.

Remediation

Users can upgrade to OpenTelemetry.Exporter.OpenTelemetryProtocol version 1.15.3 or later. If an immediate upgrade is not possible, avoid enabling disk retry in shared environments, configure a dedicated directory with strict access controls, ensure the directory is not shared across users, and monitor for unexpected blob files or abnormal growth in the retry backlog.