OpenTelemetry Exporter Instana TLS Certificate Validation Vulnerability

A vulnerability exists in the OpenTelemetry.Exporter.Instana NuGet package, affecting versions through 1.0.7. The issue arises because the exporter does not properly validate HTTPS/TLS certificates when sending telemetry to an Instana backend via a proxy, as specified by the INSTANA_ENDPOINT_PROXY environment variable. This flaw can be exploited by a network attacker who can intercept the proxy connection, leading to the exposure of OpenTelemetry telemetry data and the Instana API key.

Impact

Exploitation of this vulnerability allows a network attacker to intercept and read all telemetry data sent to Instana, along with the user's Instana API key. This could be done without any noticeable disruption of the telemetry data being sent, as the vulnerability bypasses important security measures in the TLS certificate validation process.

Remediation

Users can update to OpenTelemetry.Exporter.Instana version 1.1.0 or later, where this vulnerability has been fixed. In environments where the previous behavior is needed, such as local development, the vulnerability can be reintroduced by configuring the HttpClient to accept any server certificate.