CVE-2024-55886
📋 TL;DR
This vulnerability allows unauthorized users to ingest OpenTelemetry Logs data into OpenSearch Data Prepper when custom authentication plugins are improperly implemented. It affects Data Prepper versions 2.1.0 through 2.10.1 that use custom GrpcAuthenticationProvider implementations with getHttpAuthenticationService() instead of getAuthenticationInterceptor(). The built-in http_basic authentication is not affected.
💻 Affected Systems
- OpenSearch Data Prepper
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Unauthorized data injection could lead to data pollution, log poisoning, or ingestion of malicious data that could compromise downstream systems and analytics.
Likely Case
Unauthorized users could send logs without authentication, potentially bypassing data validation and ingestion controls.
If Mitigated
With proper authentication controls, only authorized users can ingest logs, maintaining data integrity and access control.
🎯 Exploit Status
Exploitation requires knowledge of the vulnerable endpoint and custom authentication plugin configuration.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.10.2
Vendor Advisory: https://github.com/opensearch-project/data-prepper/security/advisories/GHSA-725p-63vv-v948
Restart Required: Yes
Instructions:
1. Upgrade Data Prepper to version 2.10.2 or later. 2. Restart Data Prepper services. 3. Verify custom authentication plugins now properly authenticate OpenTelemetry Logs requests.
🔧 Temporary Workarounds
Use built-in http_basic authentication
allSwitch from custom authentication plugins to the built-in http_basic authentication provider which is not affected by this vulnerability.
Modify Data Prepper pipeline configuration to use 'http_basic' authentication instead of custom GrpcAuthenticationProvider implementations.
Deploy authentication proxy
allPlace an authentication proxy in front of Data Prepper instances to enforce authentication before requests reach the vulnerable OpenTelemetry Logs source.
Deploy reverse proxy (nginx, Apache, etc.) with authentication configured to front Data Prepper OpenTelemetry endpoints.
🧯 If You Can't Patch
- Switch to using the built-in http_basic authentication provider instead of custom authentication plugins.
- Implement network-level controls to restrict access to Data Prepper OpenTelemetry endpoints to trusted sources only.
🔍 How to Verify
Check if Vulnerable:
Check if running Data Prepper version 2.1.0 through 2.10.1 with custom GrpcAuthenticationProvider implementations using getHttpAuthenticationService().Check Version:
Check Data Prepper logs or configuration for version information, or run: java -jar data-prepper.jar --versionVerify Fix Applied:
Verify Data Prepper version is 2.10.2 or later, and test that OpenTelemetry Logs endpoints now properly require authentication.📡 Detection & Monitoring
Log Indicators:
- Unauthenticated requests to OpenTelemetry Logs endpoints
- Failed authentication attempts from custom plugins
- Unexpected log ingestion from unverified sources
Network Indicators:
- Unencrypted or unauthenticated gRPC traffic to Data Prepper OpenTelemetry ports
- Traffic bypassing expected authentication mechanisms
SIEM Query:
source="data-prepper" AND (event="unauthenticated_request" OR auth_result="failure") AND endpoint="opentelemetry_logs"