Skip to content

Update module go.opentelemetry.io/otel/sdk to v1.43.0 [SECURITY] - autoclosed#4225

Closed
renovate[bot] wants to merge 1 commit into
mainfrom
renovate/go-go.opentelemetry.io-otel-sdk-vulnerability
Closed

Update module go.opentelemetry.io/otel/sdk to v1.43.0 [SECURITY] - autoclosed#4225
renovate[bot] wants to merge 1 commit into
mainfrom
renovate/go-go.opentelemetry.io-otel-sdk-vulnerability

Conversation

@renovate

@renovate renovate Bot commented Apr 23, 2026

Copy link
Copy Markdown
Contributor

This PR contains the following updates:

Package Change Age Confidence
go.opentelemetry.io/otel/sdk v1.42.0v1.43.0 age confidence

opentelemetry-go: BSD kenv command not using absolute path enables PATH hijacking

CVE-2026-39883 / GHSA-hfvc-g4fc-pqhx

More information

Details

Summary

The fix for GHSA-9h8m-3fm2-qjrq (CVE-2026-24051) changed the Darwin ioreg command to use an absolute path but left the BSD kenv command using a bare name, allowing the same PATH hijacking attack on BSD and Solaris platforms.

Root Cause

sdk/resource/host_id.go line 42:

if result, err := r.execCommand("kenv", "-q", "smbios.system.uuid"); err == nil {

Compare with the fixed Darwin path at line 58:

result, err := r.execCommand("/usr/sbin/ioreg", "-rd1", "-c", "IOPlatformExpertDevice")

The execCommand helper at sdk/resource/host_id_exec.go uses exec.Command(name, arg...) which searches $PATH when the command name contains no path separator.

Affected platforms (per build tag in host_id_bsd.go:4): DragonFly BSD, FreeBSD, NetBSD, OpenBSD, Solaris.

The kenv path is reached when /etc/hostid does not exist (line 38-40), which is common on FreeBSD systems.

Attack
  1. Attacker has local access to a system running a Go application that imports go.opentelemetry.io/otel/sdk
  2. Attacker places a malicious kenv binary earlier in $PATH
  3. Application initializes OpenTelemetry resource detection at startup
  4. hostIDReaderBSD.read() calls exec.Command("kenv", ...) which resolves to the malicious binary
  5. Arbitrary code executes in the context of the application

Same attack vector and impact as CVE-2026-24051.

Suggested Fix

Use the absolute path:

if result, err := r.execCommand("/bin/kenv", "-q", "smbios.system.uuid"); err == nil {

On FreeBSD, kenv is located at /bin/kenv.

Severity

  • CVSS Score: 7.3 / 10 (High)
  • Vector String: CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).


Release Notes

open-telemetry/opentelemetry-go (go.opentelemetry.io/otel/sdk)

v1.43.0: /v0.65.0/v0.19.0

Compare Source

Added

  • Add IsRandom and WithRandom on TraceFlags, and IsRandom on SpanContext in go.opentelemetry.io/otel/trace
    for W3C Trace Context Level 2 Random Trace ID Flag support. (#​8012)
  • Add service detection with WithService in go.opentelemetry.io/otel/sdk/resource. (#​7642)
  • Add DefaultWithContext and EnvironmentWithContext in go.opentelemetry.io/otel/sdk/resource to support plumbing context.Context through default and environment detectors. (#​8051)
  • Support attributes with empty value (attribute.EMPTY) in go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc. (#​8038)
  • Support attributes with empty value (attribute.EMPTY) in go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc. (#​8038)
  • Support attributes with empty value (attribute.EMPTY) in go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploggrpc. (#​8038)
  • Support attributes with empty value (attribute.EMPTY) in go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp. (#​8038)
  • Support attributes with empty value (attribute.EMPTY) in go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp. (#​8038)
  • Support attributes with empty value (attribute.EMPTY) in go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploghttp. (#​8038)
  • Support attributes with empty value (attribute.EMPTY) in go.opentelemetry.io/otel/sdk/metric/metricdata/metricdatatest. (#​8038)
  • Add support for per-series start time tracking for cumulative metrics in go.opentelemetry.io/otel/sdk/metric.
    Set OTEL_GO_X_PER_SERIES_START_TIMESTAMPS=true to enable. (#​8060)
  • Add WithCardinalityLimitSelector for metric reader for configuring cardinality limits specific to the instrument kind. (#​7855)

Changed

  • Introduce the EMPTY Type in go.opentelemetry.io/otel/attribute to reflect that an empty value is now a valid value, with INVALID remaining as a deprecated alias of EMPTY. (#​8038)
  • Refactor slice handling in go.opentelemetry.io/otel/attribute to optimize short slice values with fixed-size fast paths. (#​8039)
  • Improve performance of span metric recording in go.opentelemetry.io/otel/sdk/trace by returning early if self-observability is not enabled. (#​8067)
  • Improve formatting of metric data diffs in go.opentelemetry.io/otel/sdk/metric/metricdata/metricdatatest. (#​8073)

Deprecated

  • Deprecate INVALID in go.opentelemetry.io/otel/attribute. Use EMPTY instead. (#​8038)

Fixed

  • Return spec-compliant TraceIdRatioBased description. This is a breaking behavioral change, but it is necessary to
    make the implementation spec-compliant. (#​8027)
  • Fix a race condition in go.opentelemetry.io/otel/sdk/metric where the lastvalue aggregation could collect the value 0 even when no zero-value measurements were recorded. (#​8056)
  • Limit HTTP response body to 4 MiB in go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp to mitigate excessive memory usage caused by a misconfigured or malicious server.
    Responses exceeding the limit are treated as non-retryable errors. (#​8108)
  • Limit HTTP response body to 4 MiB in go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp to mitigate excessive memory usage caused by a misconfigured or malicious server.
    Responses exceeding the limit are treated as non-retryable errors. (#​8108)
  • Limit HTTP response body to 4 MiB in go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploghttp to mitigate excessive memory usage caused by a misconfigured or malicious server.
    Responses exceeding the limit are treated as non-retryable errors. (#​8108)
  • WithHostID detector in go.opentelemetry.io/otel/sdk/resource to use full path for kenv command on BSD. (#​8113)
  • Fix missing request.GetBody in go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploghttp to correctly handle HTTP2 GOAWAY frame. (#​8096)

What's Changed

New Contributors

Full Changelog: open-telemetry/opentelemetry-go@v1.42.0...v1.43.0


Configuration

📅 Schedule: (in timezone Etc/UTC)

  • Branch creation
    • ""
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Enabled.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.


  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate Bot added the security label Apr 23, 2026
@renovate renovate Bot enabled auto-merge (squash) April 23, 2026 22:52
@renovate renovate Bot requested a review from a team April 23, 2026 22:52
@renovate

renovate Bot commented Apr 23, 2026

Copy link
Copy Markdown
Contributor Author

⚠️ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

  • any of the package files in this branch needs updating, or
  • the branch becomes conflicted, or
  • you click the rebase/retry checkbox if found above, or
  • you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: flow/go.sum
Command failed: go get -t ./...
go: github.com/PeerDB-io/peerdb/flow/activities imports
	github.com/PeerDB-io/peerdb/flow/generated/protos: cannot find module providing package github.com/PeerDB-io/peerdb/flow/generated/protos
go: github.com/PeerDB-io/peerdb/flow/cmd imports
	github.com/PeerDB-io/peerdb/flow/generated/grpc_handler: cannot find module providing package github.com/PeerDB-io/peerdb/flow/generated/grpc_handler
go: github.com/PeerDB-io/peerdb/flow/cmd imports
	github.com/PeerDB-io/peerdb/flow/generated/proto_conversions: cannot find module providing package github.com/PeerDB-io/peerdb/flow/generated/proto_conversions
go: module github.com/aws/aws-sdk-go-v2/feature/s3/manager is deprecated: superceded by feature/s3/transfermanager. See https://github.com/aws/aws-sdk-go-v2/discussions/3306

@codecov

codecov Bot commented Apr 23, 2026

Copy link
Copy Markdown

⚠️ JUnit XML file not found

The CLI was unable to find any JUnit XML files to upload.
For more help, visit our troubleshooting guide.

@github-actions

Copy link
Copy Markdown
Contributor

❌ Test Failure

Analysis: The build fails deterministically with missing go.sum entries for go.opentelemetry.io/otel packages after a Renovate dependency update that left go.sum incomplete.
Confidence: 0.98

⚠️ This appears to be a real bug - manual intervention needed

View workflow run

@renovate renovate Bot force-pushed the renovate/go-go.opentelemetry.io-otel-sdk-vulnerability branch from 6308a4b to 3f0b18f Compare April 23, 2026 23:28
@renovate renovate Bot requested a review from a team April 23, 2026 23:28
@github-actions

Copy link
Copy Markdown
Contributor

❌ Test Failure

Analysis: Build fails deterministically with missing go.sum entries for go.opentelemetry.io/otel packages on a Renovate dependency-update branch — the go.sum file was not regenerated after the otel SDK version bump.
Confidence: 0.97

⚠️ This appears to be a real bug - manual intervention needed

View workflow run

@renovate renovate Bot force-pushed the renovate/go-go.opentelemetry.io-otel-sdk-vulnerability branch from 3f0b18f to b3b79a9 Compare April 24, 2026 02:07
@github-actions

Copy link
Copy Markdown
Contributor

❌ Test Failure

Analysis: Deterministic build failure: Renovate's OpenTelemetry SDK update left go.sum missing entries for otel packages, so the Go build fails before any tests run.
Confidence: 0.97

⚠️ This appears to be a real bug - manual intervention needed

View workflow run

@renovate renovate Bot force-pushed the renovate/go-go.opentelemetry.io-otel-sdk-vulnerability branch from b3b79a9 to b6a9770 Compare April 25, 2026 16:31
@github-actions

Copy link
Copy Markdown
Contributor

❌ Test Failure

Analysis: Deterministic build failure: the Renovate branch updated go.opentelemetry.io/otel but go.sum is missing checksum entries for the new transitive otel dependencies, causing the build to fail before any tests ran.
Confidence: 0.98

⚠️ This appears to be a real bug - manual intervention needed

View workflow run

@renovate renovate Bot changed the title Update module go.opentelemetry.io/otel/sdk to v1.43.0 [SECURITY] Update module go.opentelemetry.io/otel/sdk to v1.43.0 [SECURITY] - autoclosed Apr 27, 2026
@renovate renovate Bot closed this Apr 27, 2026
auto-merge was automatically disabled April 27, 2026 17:49

Pull request was closed

@renovate renovate Bot deleted the renovate/go-go.opentelemetry.io-otel-sdk-vulnerability branch April 27, 2026 17:49
@renovate renovate Bot changed the title Update module go.opentelemetry.io/otel/sdk to v1.43.0 [SECURITY] - autoclosed Update module go.opentelemetry.io/otel/sdk to v1.43.0 [SECURITY] Apr 27, 2026
@renovate renovate Bot reopened this Apr 27, 2026
@renovate renovate Bot force-pushed the renovate/go-go.opentelemetry.io-otel-sdk-vulnerability branch 2 times, most recently from b6a9770 to 9f8d012 Compare April 27, 2026 21:46
@github-actions

Copy link
Copy Markdown
Contributor

❌ Test Failure

Analysis: Deterministic build failure: the Renovate OpenTelemetry SDK upgrade left go.sum missing entries for go.opentelemetry.io/otel transitive packages, so go build fails before any tests can run.
Confidence: 0.97

⚠️ This appears to be a real bug - manual intervention needed

View workflow run

@github-actions

Copy link
Copy Markdown
Contributor

❌ Test Failure

Analysis: Build fails deterministically with missing go.sum entries for go.opentelemetry.io/otel packages after a Renovate dependency bump, so no tests ran at all.
Confidence: 0.98

⚠️ This appears to be a real bug - manual intervention needed

View workflow run

@renovate renovate Bot enabled auto-merge (squash) April 28, 2026 00:11
@renovate renovate Bot force-pushed the renovate/go-go.opentelemetry.io-otel-sdk-vulnerability branch from 9f8d012 to 85f741f Compare April 28, 2026 00:11
@github-actions

Copy link
Copy Markdown
Contributor

❌ Test Failure

Analysis: Real build failure on the Renovate OpenTelemetry update branch: go.sum is missing entries for multiple go.opentelemetry.io packages, meaning go mod tidy was not run after the dependency bump.
Confidence: 0.98

⚠️ This appears to be a real bug - manual intervention needed

View workflow run

@renovate renovate Bot changed the title Update module go.opentelemetry.io/otel/sdk to v1.43.0 [SECURITY] Update module go.opentelemetry.io/otel/sdk to v1.43.0 [SECURITY] - autoclosed Apr 28, 2026
@renovate renovate Bot closed this Apr 28, 2026
auto-merge was automatically disabled April 28, 2026 05:51

Pull request was closed

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant