OpenTelemetry eBPF Instrumentation (OBI), Path Traversal / File Overwrite, GHSA-8gmg-3w2q-65f4 (High)

Listen to this Post

The vulnerability stems from two critical flaws in the Java agent injection logic of the OpenTelemetry eBPF Instrumentation (OBI) component. First, when OBI reads the `TMPDIR` environment variable from a target Java process, it validates the directory path using the `dirOK(…)` function, which employs filepath.Join(root, dir), where `root` is the target’s `/proc//root` namespace. However, if `dir` is an absolute path (e.g., /etc), `filepath.Join` discards the `root` prefix, allowing the path to be resolved on the host’s root filesystem instead of the target’s isolated namespace. This enables a malicious Java process to force the injector to write files to arbitrary host locations.
Second, the file creation in `copyAgent(…)` is performed using os.OpenFile(..., os.O_WRONLY|os.O_CREATE|os.O_TRUNC, 0o644). This call does not use exclusive creation (O_EXCL) and offers no protection against symlink attacks. An attacker with a writable temp directory can pre-create a symlink at the expected destination (e.g., /tmp/obi-java-agent.jar -> /etc/passwd), causing the privileged injector to follow the link and overwrite the target host file with truncation.
Platform: Linux
Version: < v0.8.0
Vulnerability : Path Traversal & Symlink File Overwrite
Severity: High
date: 2026-04-17

Prediction: Patch date already released (2026-04-17)

What Undercode Say:

Validate that your OBI version is vulnerable
Vulnerable versions are those before v0.8.0
obi version | grep "v0." | awk '{if ($2 < "v0.8.0") print "Vulnerable version detected"}'
Check current running OBI processes and their privileges
ps aux | grep obi
If OBI is running as root or with high privileges, the risk is elevated
Simulate the path escape vulnerability (PoC step 1)
Set the TMPDIR to an absolute path that should be contained within the process root
export TMPDIR=/etc
Start a Java process that will be targeted by OBI for injection
java -version
Observe the privileged injector attempting to write the agent outside /proc/<pid>/root
Simulate the symlink clobber case (PoC step 2)
export TMPDIR=/tmp
ln -s /etc/passwd /tmp/obi-java-agent.jar
Trigger the Java agent injection for the process
The injector will follow the symlink and overwrite /etc/passwd
Protection: Mitigation and upgrade
Upgrade to the patched version v0.8.0 or later
https://github.com/open-telemetry/opentelemetry-ebpf-instrumentation/releases/tag/v0.8.0

Exploit:

To exploit this vulnerability, an attacker must have the ability to run a Java process on the same host where OBI is running with elevated privileges and Java injection enabled. The exploit takes two primary forms:
1. Path Escape: The attacker starts a Java process with `TMPDIR` set to an absolute host path like `/etc` or /proc/1/root/etc. When OBI injects the agent, `dirOK(…)` validates the path but `filepath.Join` discards the `/proc//root` boundary, causing the `copyAgent(…)` function to write the `obi-java-agent.jar` file directly to the attacker-controlled host location.
2. Symlink Clobbering: The attacker creates a Java process with `TMPDIR` set to a writable directory (e.g., /tmp). Before injection, they create a symlink at the expected injection path, such as /tmp/obi-java-agent.jar -> /path/to/target/file. The privileged OBI process then uses `os.OpenFile` without `O_EXCL` or symlink protections, opening the symlink’s target and truncating its contents, effectively overwriting any file writable by the OBI process.

Protection from this CVE:

The primary remediation is to upgrade to OBI version v0.8.0 or later, which fixes the path validation and file creation logic. As a temporary mitigation, administrators can restrict the use of Java injection or ensure that OBI does not run with unnecessary elevated privileges. Setting a secure, non-writable, and non-symlinkable `TMPDIR` for Java processes or disabling Java injection entirely can also prevent exploitation until an upgrade is applied.

Impact:

Successful exploitation allows a local attacker to perform arbitrary file overwrites (file clobbering) on the host system. This can lead to host integrity compromise, service disruption or denial of service, and potentially local privilege escalation depending on which files are overwritten. The vulnerability is local rather than remote, but the impact is high because OBI operates with elevated privileges on the host.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top