The OpenTelemetry Java Instrumentation project provides auto-instrumentation and instrumentation libraries for Java applications. In versions prior to 1.28., the instrumentation of Java applications using the AWS SDK v2 and Amazon Simple Email Service (SES) v1 API might contain a critical vulnerability. This issue can lead to exposure of the email content to unintended users via traces.

Vulnerability Details

When SES POST requests are instrumented, the query parameters of the request are inserted into the trace url.path field. This behavior causes the http body, which contains the email subject and message, to be present in the trace request URL metadata.

Here's an example of a code snippet using the AWS SDK v2 and SES v1 API

import software.amazon.awssdk.services.ses.SesClient;
import software.amazon.awssdk.services.ses.model.SendEmailRequest;
import software.amazon.awssdk.services.ses.model.Destination;
import software.amazon.awssdk.services.ses.model.Content;
import software.amazon.awssdk.services.ses.model.Body;
import software.amazon.awssdk.services.ses.model.Message;

SesClient client = SesClient.builder().region(Region.US_WEST_2).build();
Destination destination = Destination.builder().toAddresses("recipient@example.com").build();
Content subject = Content.builder().data("Hello, World!").build();
Content textBody = Content.builder().data("This is a test e-mail.").build();
Body body = Body.builder().text(textBody).build();
Message message = Message.builder().subject(subject).body(body).build();
SendEmailRequest request = SendEmailRequest.builder().source("sender@example.com").destination(destination).message(message).build();
client.sendEmail(request);

Any user using OpenTelemetry Java Instrumentation to instrument AWS SDK v2 call to SES's v1 SendEmail API is affected.

Impact

The unintended exposure of email content via telemetry backend could lead to sensitive information leakage and potential issues impacted by this vulnerability include:

References

- OpenTelemetry Java Instrumentation
- CVE-2023-39951 on NVD
- AWS SDK for Java 2.x
- Amazon Simple Email Service Documentation

Solution

The issue can be mitigated by updating OpenTelemetry Java Instrumentation to version 1.28. or later. To update, follow these steps:

1. Modify your project's dependencies to pull the updated version of OpenTelemetry Java Instrumentation.

Rebuild your application, ensuring the new version of the library is included.

3. Re-deploy your application and validate that the traces sent to the telemetry backend no longer contain email content in the url.path field.

By promptly updating the OpenTelemetry Java Instrumentation library, you can help protect your application and its users from the unintended exposure of sensitive information via traces.

Timeline

Published on: 08/08/2023 22:15:00 UTC
Last modified on: 08/16/2023 16:44:00 UTC