7ASecurity is proud to share the results of our security audit of OpenTelemetry. OpenTelemetry is an open source project for generating and collecting telemetry data for software analysis. With the help of the Open Source Technology Improvement Fund (OSTIF) and the Cloud Native Computing Foundation (CNCF), this project will experience strengthened security health as it moves to graduation status with the CNCF.
Audit Process:
The goal of this engagement was to review OpenTelemetry as thoroughly as possible within the constraints of time and scope. The audit team performed a whitebox review with pentesting on the OpenTelemetry Collector and four Software Development Kits (SDKs): Go, Java, .NET, and Python. When high impact findings were identified during the audit they were securely submitted to the maintainers, who responded quickly and effectively to fix and publicize the issues.
Audit Results:
- 7 Findings with Security Impact
- 2 High CVEs (see CVE-2024-36129 for information on both), fixed
- 5 Hardening Recommendations
- Custom Recommendations for Future Security Efforts in OpenTelemetry
This was OpenTelemetry’s first pentest experience. The 7ASecurity audit team noted that the source code was high quality and indicates security best practices are being followed, supported by the lack of quantitative findings. This is a commendable accomplishment. The audit did reveal two high severity vulnerabilities as well as provide areas of improvement for future work and audits. In this way, the engagement was highly impactful and can continue to help provide context and insight to maintainers and contributors of OpenTelemetry.
Thank you to the individuals and groups that made this engagement possible:
- OpenTelemetry maintainers and community- Austin Parker, Carter Socha, Juraci Paixão Kröhling
- The Cloud Native Computing Foundation
- The Open Source Technology Improvement Fund
You can read the Audit Report HERE
You can read the OSTIF Blog HERE
You can read the OpenTelemetry Blog HERE
Everyone around the world depends on open source software. If you’re interested in financially supporting this critical work, please contact amir@ostif.org.
