Headline
GHSA-vh2m-22xx-q94f: Sensitive query parameters logged by default in OpenTelemetry.Instrumentation http and AspNetCore
Impact
OpenTelemetry.Instrumentation.Http writes the url.full attribute/tag on spans (Activity) when tracing is enabled for outgoing http requests and OpenTelemetry.Instrumentation.AspNetCore writes the url.query attribute/tag on spans (Activity) when tracing is enabled for incoming http requests.
These attributes are defined by the Semantic Conventions for HTTP Spans.
Up until the 1.8.1 the values written by OpenTelemetry.Instrumentation.Http & OpenTelemetry.Instrumentation.AspNetCore will pass-through the raw query string as was sent or received (respectively). This may lead to sensitive information (e.g. EUII - End User Identifiable Information, credentials, etc.) being leaked into telemetry backends (depending on the application(s) being instrumented) which could cause privacy and/or security incidents.
Note: Older versions of OpenTelemetry.Instrumentation.Http & OpenTelemetry.Instrumentation.AspNetCore may use different tag names but have the same vulnerability.
Resolution
The 1.8.1 versions of OpenTelemetry.Instrumentation.Http & OpenTelemetry.Instrumentation.AspNetCore will now redact by default all values detected on transmitted or received query strings.
Example transmitted or received query sting:
?key1=value1&key2=value2
Example of redacted value written on telemetry:
?key1=Redacted&key2=Redacted
Impact
OpenTelemetry.Instrumentation.Http writes the url.full attribute/tag on spans (Activity) when tracing is enabled for outgoing http requests and OpenTelemetry.Instrumentation.AspNetCore writes the url.query attribute/tag on spans (Activity) when tracing is enabled for incoming http requests.
These attributes are defined by the Semantic Conventions for HTTP Spans.
Up until the 1.8.1 the values written by OpenTelemetry.Instrumentation.Http & OpenTelemetry.Instrumentation.AspNetCore will pass-through the raw query string as was sent or received (respectively). This may lead to sensitive information (e.g. EUII - End User Identifiable Information, credentials, etc.) being leaked into telemetry backends (depending on the application(s) being instrumented) which could cause privacy and/or security incidents.
Note: Older versions of OpenTelemetry.Instrumentation.Http & OpenTelemetry.Instrumentation.AspNetCore may use different tag names but have the same vulnerability.
Resolution
The 1.8.1 versions of OpenTelemetry.Instrumentation.Http & OpenTelemetry.Instrumentation.AspNetCore will now redact by default all values detected on transmitted or received query strings.
Example transmitted or received query sting:
?key1=value1&key2=value2
Example of redacted value written on telemetry:
?key1=Redacted&key2=Redacted
References
- GHSA-vh2m-22xx-q94f
- open-telemetry/opentelemetry-dotnet@e222ecb