OpenTelemetry eBPF Instrumentation Redis Error Export Vulnerability

A vulnerability in OpenTelemetry eBPF Instrumentation prior to version 0.9.0 allows for the unfiltered export of Redis error messages as span status updates. This issue can lead to the exfiltration of sensitive information, such as tokens and personal data, into telemetry systems. The problem arises because Redis error replies can include attacker-controlled or confidential values, which are then injected into analysis backends without proper sanitization. The vulnerability is present in versions greater than v0.0.0-rc.1+build and has been patched in v0.9.0.

Impact

Exploitation of this vulnerability results in information disclosure and unauthorized telemetry injection. It affects any deployment that traces Redis traffic and exports spans to telemetry collectors, logs, or dashboards. Sensitive information, including tokens and personal data, can be leaked into these systems, while untrusted text may disrupt downstream data analysis.

Reproduction

To reproduce this vulnerability, use a build of OpenTelemetry eBPF Instrumentation that is prior to v0.9.0. After building and running this version, initiate a Redis server and use the Redis CLI to send a command that triggers an error response containing sensitive information, such as a password or token. The error message will be exported as part of the telemetry span, demonstrating the vulnerability.

Remediation

Users can update to OpenTelemetry eBPF Instrumentation version 0.9.0 or later, where this vulnerability has been fixed.