OpenTelemetry-Go Contrib has DoS vulnerability in otelhttp due to unbound cardinality metrics
CVE-2023-45142

7.5HIGH

Key Information:

Vendor

Open-telemetry

Status
Opentelemetry-go-contrib
Vendor
CVE Published:
12 October 2023

What is CVE-2023-45142?

OpenTelemetry-Go Contrib is susceptible to a memory exhaustion issue due to unbound cardinality of HTTP headers, specifically, http.user_agent and http.method. An attacker can exploit this by sending crafted requests with long and random values for these headers. If the otelhttp.NewHandler wrapper is used without proper filtering of HTTP methods or User-Agent values, the server may experience significant performance degradation or crash. Version 0.44.0 introduced mitigations by restricting accepted HTTP methods and reducing high cardinality attributes. A recommended workaround is to use otelhttp.WithFilter(), although careful configuration is necessary to avoid logging sensitive requests. It's advisable for libraries implementing this wrapper to default to labeling non-standard methods and User-Agents as unknown, preventing unnecessary memory strain.

Affected Version(s)

opentelemetry-go-contrib < 0.44.0

References

https://github.com/open-telemetry/opentelemetry-go-contri...
x_refsource_CONFIRM
https://github.com/open-telemetry/opentelemetry-go-contri...
x_refsource_MISC
https://github.com/open-telemetry/opentelemetry-go-contri...
x_refsource_MISC

CVSS V3.1

Score:
7.5
Severity:
HIGH
Confidentiality:
None
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.