OSTIF is proud to share the results of our security audit of OpenTelemetry. OpenTelemetry is an open source project for generating and collecting telemetry data for software analysis. With the help of 7ASecurity and the Cloud Native Computing Foundation (CNCF), this project will experience strengthened security health as it moves to graduation status with the CNCF.
Audit Process:
The goal of this engagement was to review OpenTelemetry as thoroughly as possible within the constraints of time and scope. The audit team performed a whitebox review with pentesting on the OpenTelemetry Collector and four Software Development Kits (SDKs): Go, Java, .NET, and Python. When high impact findings were identified during the audit they were securely submitted to the maintainers, who responded quickly and effectively to fix and publicize the issues.
Audit Results:
- 7 Findings with Security Impact
- 2 High CVEs (see CVE-2024-36129 for information on both), fixed
- 5 Hardening Recommendations
- Custom Recommendations for Future Security Efforts in OpenTelemetry
This was OpenTelemetry’s first pentest experience. 7ASecurity’s audit team noted that the source code was high quality and indicates security best practices are being followed, supported by the lack of quantitative findings. This is a commendable accomplishment. The audit did reveal two high severity vulnerabilities as well as provide areas of improvement for future work and audits. In this way, the engagement was highly impactful and can continue to help provide context and insight to maintainers and contributors of OpenTelemetry.
Thank you to the individuals and groups that made this engagement possible:
- OpenTelemetry maintainers and community- Austin Parker, Carter Socha, Juraci Paixão Kröhling
- 7ASecurity- Abraham Aranguren, Daniel Ortiz, Miroslav Štampar
- The Cloud Native Computing Foundation
You can read the Audit Report HERE
You can read OpenTelemetry’s Blog HERE
You can read 7ASecurity’s Blog HERE
Everyone around the world depends on open source software. If you’re interested in financially supporting more critical work, contact [email protected].