CVE-2023-47108

DoS vulnerability in otelgrpc (uncontrolled resource consumption) due to unbound cardinality metrics

Severity Score

7.5

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

Attend

*SSVC

Descriptions

OpenTelemetry-Go Contrib is a collection of third-party packages for OpenTelemetry-Go. Prior to version 0.46.0, the grpc Unary Server Interceptor out of the box adds labels `net.peer.sock.addr` and `net.peer.sock.port` that have unbound cardinality. It leads to the server's potential memory exhaustion when many malicious requests are sent. An attacker can easily flood the peer address and port for requests. Version 0.46.0 contains a fix for this issue. As a workaround to stop being affected, a view removing the attributes can be used. The other possibility is to disable grpc metrics instrumentation by passing `otelgrpc.WithMeterProvider` option with `noop.NewMeterProvider`.

OpenTelemetry-Go Contrib es una colección de paquetes de terceros para OpenTelemetry-Go. Antes de la versión 0.46.0, grpc Unary Server Interceptor agrega etiquetas `net.peer.sock.addr` y `net.peer.sock.port` que tienen cardinalidad independiente. Conduce al posible agotamiento de la memoria del servidor cuando se envían muchas solicitudes maliciosas. Un atacante puede inundar fácilmente la dirección y el puerto del par para solicitudes. La versión 0.46.0 contiene una solución para este problema. Como workaround para dejar de verse afectado, se puede utilizar una vista que elimine los atributos. La otra posibilidad es deshabilitar la instrumentación de métricas de grpc pasando la opción `otelgrpc.WithMeterProvider` con `noop.NewMeterProvider`.

A memory exhaustion flaw was found in the otelgrpc handler of open-telemetry. This flaw may allow a remote unauthenticated attacker to flood the peer address and port and exhaust the server's memory by sending multiple malicious requests, affecting the availability of the system.

*Credits: N/A

CVSS Scores

NISTv3.1 7.5

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

* Common Vulnerability Scoring System

SSVC

Decision:Attend

Exploitation

Poc

Automatable

Yes

Tech. Impact

Partial

* Organization's Worst-case Scenario

Timeline

2023-10-30 CVE Reserved
2023-11-10 CVE Published
2024-06-25 First Exploit
2024-09-03 CVE Updated
2024-10-10 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date

CWE

CWE-770: Allocation of Resources Without Limits or Throttling

CAPEC

References (9)

URL	Tag	Source
https://github.com/open-telemetry/opentelemetry-go-contrib/blob/9d4eb7e7706038b07d33f83f76afbe13f53d171d/instrumentation/google.golang.org/grpc/otelgrpc/interceptor.go#L327	Product
https://github.com/open-telemetry/opentelemetry-go-contrib/blob/instrumentation/google.golang.org/grpc/otelgrpc/v0.45.0/instrumentation/google.golang.org/grpc/otelgrpc/config.go#L138	Product
https://pkg.go.dev/go.opentelemetry.io/otel/metric/noop#NewMeterProvider	Product

URL	Date	SRC
https://github.com/bahe-msft/govuln-CVE-2023-47108	2024-06-25

URL	Date	SRC
https://github.com/open-telemetry/opentelemetry-go-contrib/commit/b44dfc9092b157625a5815cb437583cee663333b	2023-11-20
https://github.com/open-telemetry/opentelemetry-go-contrib/pull/4322	2023-11-20

URL	Date	SRC
https://github.com/open-telemetry/opentelemetry-go-contrib/security/advisories/GHSA-8pgv-569h-w5rw	2023-11-20
https://access.redhat.com/security/cve/CVE-2023-47108	2024-10-23
https://bugzilla.redhat.com/show_bug.cgi?id=2251198	2024-10-23

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Opentelemetry Search vendor "Opentelemetry"		Opentelemetry Search vendor "Opentelemetry" for product "Opentelemetry"				< 0.46.0 Search vendor "Opentelemetry" for product "Opentelemetry" and version " < 0.46.0"		go		Affected