OpenTelemetry eBPF Instrumentation Java TLS ioctl Probe Kernel Memory Disclosure Vulnerability

A vulnerability in the OpenTelemetry eBPF Instrumentation's Java TLS ioctl probe allows for local kernel memory disclosure. This issue arises because the probe reads user-controlled ioctl pointers using 'bpf_probe_read' instead of the safer 'bpf_probe_read_user'. As a result, an instrumented process can direct the OpenTelemetry Bytecode Instrumentation (OBI) at kernel memory, leading to unauthorized memory access. The vulnerability is present in versions prior to 0.9.0.

Impact

Exploitation of this vulnerability allows local processes to disclose kernel memory to the OpenTelemetry eBPF agent, which could then be sent to telemetry systems, potentially exposing sensitive information.

Reproduction

To reproduce this vulnerability, first build a vulnerable version of the OpenTelemetry eBPF Instrumentation with Java TLS support enabled. After building the instrumented OBI, load it into a process. Then, execute a local program that issues an ioctl command to file descriptor 0, supplying a pointer to a memory location in the kernel space. If the pointer references readable kernel memory and the OBI is running with the BPF program loaded, the kernel memory will be copied into the telemetry.

Remediation

Users can upgrade to OpenTelemetry eBPF Instrumentation version 0.9.0 or later, where this vulnerability has been patched.