CVE-2024-45043
Description
The OpenTelemetry Collector module AWS firehose receiver is for ingesting AWS Kinesis Data Firehose delivery stream messages and parsing the records received based on the configured record type. awsfirehosereceiver allows unauthenticated remote requests, even when configured to require a key. OpenTelemetry Collector can be configured to receive CloudWatch metrics via an AWS Firehose Stream. Firehose sets the header X-Amz-Firehose-Access-Key with an arbitrary configured string. The OpenTelemetry Collector awsfirehosereceiver can optionally be configured to require this key on incoming requests. However, when this is configured it still accepts incoming requests with no key. Only OpenTelemetry Collector users configured with the “alpha” awsfirehosereceiver module are affected. This module was added in version v0.49.0 of the “Contrib” distribution (or may be included in custom builds). There is a risk of unauthorized users writing metrics. Carefully crafted metrics could hide other malicious activity. There is no risk of exfiltrating data. It’s likely these endpoints will be exposed to the public internet, as Firehose does not support private HTTP endpoints. A fix was introduced in PR #34847 and released with v0.108.0. All users are advised to upgrade. There are no known workarounds for this vulnerability.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/open-telemetry/opentelemetry-collector-contrib/receiver/awsfirehosereceiverGo | >= 0.49.0, < 0.108.0 | 0.108.0 |
Patches
3ef4b1a5110b6bef563ebb0f3371bf6afbd7c[receiver/awsfirehose]: Fix access key validation (#34847)
3 files changed · +42 −3
.chloggen/firehose_authn.yaml+27 −0 added@@ -0,0 +1,27 @@ +# Use this changelog template to create an entry for release notes. + +# One of 'breaking', 'deprecation', 'new_component', 'enhancement', 'bug_fix' +change_type: bug_fix + +# The name of the component, or a single word describing the area of concern, (e.g. filelogreceiver) +component: awsfirehosereceiver + +# A brief description of the change. Surround your text with quotes ("") if it needs to start with a backtick (`). +note: Fix validation of requests with empty access key + +# Mandatory: One or more tracking issues related to the change. You can use the PR number here if no issue exists. +issues: [34847] + +# (Optional) One or more lines of additional information to render under the primary note. +# These lines will be padded with 2 spaces and then inserted directly into the document. +# Use pipe (|) for multiline entries. +subtext: + +# If your change doesn't affect end users or the exported elements of any package, +# you should instead start your pull request title with [chore] or use the "Skip Changelog" label. +# Optional: The change log or logs in which this entry should be included. +# e.g. '[user]' or '[user, api]' +# Include 'user' if the change is relevant to end users. +# Include 'api' if there is a change to a library API. +# Default: '[user]' +change_logs: [user]
receiver/awsfirehosereceiver/receiver.go+7 −3 modified@@ -233,10 +233,14 @@ func (fmr *firehoseReceiver) ServeHTTP(w http.ResponseWriter, r *http.Request) { // validate checks the Firehose access key in the header against // the one passed into the Config func (fmr *firehoseReceiver) validate(r *http.Request) (int, error) { - if accessKey := r.Header.Get(headerFirehoseAccessKey); accessKey != "" && accessKey != string(fmr.config.AccessKey) { - return http.StatusUnauthorized, errInvalidAccessKey + if string(fmr.config.AccessKey) == "" { + // No access key is configured - accept all requests. + return http.StatusAccepted, nil } - return http.StatusAccepted, nil + if accessKey := r.Header.Get(headerFirehoseAccessKey); accessKey == string(fmr.config.AccessKey) { + return http.StatusAccepted, nil + } + return http.StatusUnauthorized, errInvalidAccessKey } // getBody reads the body from the request as a slice of bytes.
receiver/awsfirehosereceiver/receiver_test.go+8 −0 modified@@ -123,6 +123,14 @@ func TestFirehoseRequest(t *testing.T) { wantStatusCode: http.StatusUnauthorized, wantErr: errInvalidAccessKey, }, + "WithNoAccessKey": { + headers: map[string]string{ + headerFirehoseAccessKey: "", + }, + body: testFirehoseRequest(testFirehoseRequestID, noRecords), + wantStatusCode: http.StatusUnauthorized, + wantErr: errInvalidAccessKey, + }, "WithoutRequestId/Body": { headers: map[string]string{ headerFirehoseRequestID: testFirehoseRequestID,
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
12- github.com/advisories/GHSA-prf6-xjxh-p698ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2024-45043ghsaADVISORY
- docs.aws.amazon.com/firehose/latest/dev/controlling-access.htmlnvdWEB
- docs.aws.amazon.com/firehose/latest/dev/httpdeliveryrequestresponse.htmlnvdWEB
- github.com/google/security-research/security/advisories/GHSA-q9wq-xc9h-xrw9ghsaWEB
- github.com/open-telemetry/opentelemetry-collector-contrib/commit/371bf6afbd7cfa3253fa1674f5444064e86ef0acghsaWEB
- github.com/open-telemetry/opentelemetry-collector-contrib/pull/34847nvdWEB
- github.com/open-telemetry/opentelemetry-collector-contrib/security/advisories/GHSA-prf6-xjxh-p698nvdWEB
- github.com/open-telemetry/opentelemetry-collector-contrib/tree/main/receiver/awsfirehosereceivernvdWEB
- github.com/open-telemetry/opentelemetry-collector-releases/pull/74nvdWEB
- github.com/open-telemetry/opentelemetry-collector-releases/releases/tag/v0.108.0nvdWEB
- github.com/open-telemetry/opentelemetry-collector-releases/tree/main/distributions/otelcol-contribnvdWEB
News mentions
0No linked articles in our index yet.