OpenTelemetry Collector Contrib Azure Authenticator Extension Authentication Bypass Vulnerability

A server-side authentication bypass vulnerability has been identified in the Azure Authenticator Extension of the OpenTelemetry Collector Contrib, affecting versions 0.124.0 prior to 0.150.0. The vulnerability allows any party with a valid Azure access token to authenticate to OpenTelemetry receivers using Azure authentication. The issue arises because the extension's Authenticate method fails to properly validate bearer tokens as JSON Web Tokens (JWTs). Instead, it compares tokens using string equality, allowing tokens minted for various Azure resources to be reused for authentication. This flaw is exacerbated by the fact that tokens can be replayed for their entire issued lifetime, which is typically several hours for managed identity tokens.

Impact

Exploitation of this vulnerability allows for improper authentication, with tokens being replayable for their full issued lifetime. This could lead to unauthorized ingestion of traces, metrics, and logs, potentially poisoning telemetry backends, injecting misleading logs into security information and event management systems, manipulating metrics to trigger or suppress alerts, and causing adversarial traces that disrupt service-graph and incident-triage processes.

Reproduction

The vulnerability can be reproduced by deploying the OpenTelemetry Collector with the Azure Authenticator Extension version 0.124.0 to 0.150.0. Configure a receiver to use Azure authentication and send a request with a valid Azure access token for a scope that the collector's identity can mint. The request will be authenticated successfully, bypassing the intended authentication mechanism.

Remediation

Remove the Azure authentication from any receiver 'auth:' blocks. For proper Entra ID JWT validation on OTLP receivers, use the OIDC Authenticator Extension pointed at the tenant discovery URL, with the audience pinned from configuration.