CVE-2023-45142

OpenTelemetry-Go Contrib has DoS vulnerability in otelhttp due to unbound cardinality metrics

Severity Score

7.5

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

OpenTelemetry-Go Contrib is a collection of third-party packages for OpenTelemetry-Go. A handler wrapper out of the box adds labels `http.user_agent` and `http.method` that have unbound cardinality. It leads to the server's potential memory exhaustion when many malicious requests are sent to it. HTTP header User-Agent or HTTP method for requests can be easily set by an attacker to be random and long. The library internally uses `httpconv.ServerRequest` that records every value for HTTP `method` and `User-Agent`. In order to be affected, a program has to use the `otelhttp.NewHandler` wrapper and not filter any unknown HTTP methods or User agents on the level of CDN, LB, previous middleware, etc. Version 0.44.0 fixed this issue when the values collected for attribute `http.request.method` were changed to be restricted to a set of well-known values and other high cardinality attributes were removed. As a workaround to stop being affected, `otelhttp.WithFilter()` can be used, but it requires manual careful configuration to not log certain requests entirely. For convenience and safe usage of this library, it should by default mark with the label `unknown` non-standard HTTP methods and User agents to show that such requests were made but do not increase cardinality. In case someone wants to stay with the current behavior, library API should allow to enable it.

OpenTelemetry-Go Contrib es una colección de paquetes de terceros para OpenTelemetry-Go. Un contenedor de controlador listo para usar agrega etiquetas `http.user_agent` y `http.method` que tienen cardinalidad independiente. Conduce al posible agotamiento de la memoria del servidor cuando se le envían muchas solicitudes maliciosas. Un atacante puede configurar fácilmente el encabezado HTTP User-Agent o el método HTTP para solicitudes para que sea aleatorio y largo. La librería utiliza internamente `httpconv.ServerRequest` que registra cada valor para el `method` HTTP y el `User-Agent`. Para verse afectado, un programa debe utilizar el contenedor `otelhttp.NewHandler` y no filtrar ningún método HTTP desconocido o agentes de usuario en el nivel de CDN, LB, middleware anterior, etc. La versión 0.44.0 solucionó este problema cuando el Los valores recopilados para el atributo `http.request.method` se cambiaron para restringirlos a un conjunto de valores conocidos y se eliminaron otros atributos de alta cardinalidad. Como workaround para dejar de verse afectado, se puede utilizar `otelhttp.WithFilter()`, pero requiere una configuración manual cuidadosa para no registrar ciertas solicitudes por completo. Para mayor comodidad y uso seguro de esta librería, debería marcar de forma predeterminada con la etiqueta "unknown" los métodos HTTP no estándar y los agentes de usuario para mostrar que dichas solicitudes se realizaron pero no aumentan la cardinalidad. En caso de que alguien quiera seguir con el comportamiento actual, la API de la librería debería permitir habilitarlo.

A memory leak was found in the otelhttp handler of open-telemetry. This flaw allows a remote, unauthenticated attacker to exhaust the server's memory by sending many malicious requests, affecting the availability.

*Credits: N/A

CVSS Scores

NISTv3.1 7.5

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2023-10-04 CVE Reserved
2023-10-12 CVE Published
2024-08-02 CVE Updated
2024-11-13 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-770: Allocation of Resources Without Limits or Throttling

CAPEC

References (11)

URL	Tag	Source
https://github.com/advisories/GHSA-cg3q-j54f-5p7p	Third Party Advisory
https://github.com/open-telemetry/opentelemetry-go-contrib/blob/5f7e6ad5a49b45df45f61a1deb29d7f1158032df/instrumentation/net/http/otelhttp/handler.go#L63-L65	Product
https://github.com/open-telemetry/opentelemetry-go-contrib/pull/4277	Issue Tracking
https://github.com/open-telemetry/opentelemetry-go-contrib/releases/tag/v1.19.0	Release Notes
https://github.com/open-telemetry/opentelemetry-go/blob/38e1b499c3da3107694ad2660b3888eee9c8b896/semconv/internal/v2/http.go#L223	Product
https://github.com/open-telemetry/opentelemetry-go/blob/v1.12.0/semconv/internal/v2/http.go#L159	Product
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2UTRJ54INZG3OC2FTAN6AFB2RYNY2GAD

URL	Date	SRC

URL	Date	SRC

URL	Date	SRC
https://github.com/open-telemetry/opentelemetry-go-contrib/security/advisories/GHSA-5r5m-65gx-7vrh	2024-02-19
https://github.com/open-telemetry/opentelemetry-go-contrib/security/advisories/GHSA-rcjv-mgp8-qvmr	2024-02-19
https://access.redhat.com/security/cve/CVE-2023-45142	2024-10-15
https://bugzilla.redhat.com/show_bug.cgi?id=2245180	2024-10-15

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Opentelemetry Search vendor "Opentelemetry"		Opentelemetry Search vendor "Opentelemetry" for product "Opentelemetry"				< 0.44.0 Search vendor "Opentelemetry" for product "Opentelemetry" and version " < 0.44.0"		go		Affected