CVE-2023-43810

opentelemetry-instrumentation Denial of Service vulnerability due to unbound cardinality metrics

Severity Score

7.5

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

Attend

*SSVC

Descriptions

OpenTelemetry, also known as OTel for short, is a vendor-neutral open-source Observability framework for instrumenting, generating, collecting, and exporting telemetry data such as traces, metrics, logs. Autoinstrumentation out of the box adds the label `http_method` that has unbound cardinality. It leads to the server's potential memory exhaustion when many malicious requests are sent. HTTP method for requests can be easily set by an attacker to be random and long. In order to be affected program has to be instrumented for HTTP handlers and does not filter any unknown HTTP methods on the level of CDN, LB, previous middleware, etc. This issue has been patched in version 0.41b0.

OpenTelemetry, también conocido como OTel para abreviar, es un framework de observabilidad de código abierto, independiente del proveedor, para instrumentar, generar, recopilar y exportar datos de telemetría, como seguimientos, métricas y registros. La instrumentación automática lista para usar agrega la etiqueta `http_method` que tiene cardinalidad ilimitada. Conduce al posible agotamiento de la memoria del servidor cuando se envían muchas peticiones maliciosas. Un atacante puede configurar fácilmente el método HTTP para solicitudes para que sea aleatorio y largo. Para verse afectado, el programa debe estar instrumentado para controladores HTTP y no filtrar ningún método HTTP desconocido en el nivel de CDN, LB, middleware anterior, etc. Este problema se solucionó en la versión 0.41b0.

*Credits: N/A

CVSS Scores

NISTv3.1 7.5

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

* Common Vulnerability Scoring System

SSVC

Decision:Attend

Exploitation

None

Automatable

Yes

Tech. Impact

Partial

* Organization's Worst-case Scenario

Timeline

2023-09-22 CVE Reserved
2023-10-06 CVE Published
2024-09-19 CVE Updated
2024-11-07 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-400: Uncontrolled Resource Consumption

CAPEC

References (3)

URL	Tag	Source
https://github.com/open-telemetry/opentelemetry-python-contrib/releases/tag/v0.41b0	Release Notes

URL	Date	SRC

URL	Date	SRC
https://github.com/open-telemetry/opentelemetry-python-contrib/commit/6007e0c013071e7f8b9612d3bc68aeb9d600d74e	2023-10-11

URL	Date	SRC
https://github.com/open-telemetry/opentelemetry-python-contrib/security/advisories/GHSA-5rv5-6h4r-h22v	2023-10-11

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Opentelemetry Search vendor "Opentelemetry"		Opentelemetry Search vendor "Opentelemetry" for product "Opentelemetry"				< 0.41b0 Search vendor "Opentelemetry" for product "Opentelemetry" and version " < 0.41b0"		-		Affected