Lucene search

K
f5F5F5:K000138255
HistoryJan 16, 2024 - 12:00 a.m.

K000138255 : Go OpenTelemetry Contrib vulnerability CVE-2023-47108

2024-01-1600:00:00
my.f5.com
13
opentelemetry-go
contrib
vulnerability
grpc
unary server interceptor
memory exhaustion
malicious requests
fix
workaround
disable metrics

6.5 Medium

AI Score

Confidence

Low

0.001 Low

EPSS

Percentile

38.0%

Security Advisory Description

OpenTelemetry-Go Contrib is a collection of third-party packages for OpenTelemetry-Go. Prior to version 0.46.0, the grpc Unary Server Interceptor out of the box adds labels net.peer.sock.addr and net.peer.sock.port that have unbound cardinality. It leads to the server’s potential memory exhaustion when many malicious requests are sent. An attacker can easily flood the peer address and port for requests. Version 0.46.0 contains a fix for this issue. As a workaround to stop being affected, a view removing the attributes can be used. The other possibility is to disable grpc metrics instrumentation by passing otelgrpc.WithMeterProvider option with noop.NewMeterProvider. (CVE-2023-47108)

Impact

There is no impact; F5 products are not affected by this vulnerability.

6.5 Medium

AI Score

Confidence

Low

0.001 Low

EPSS

Percentile

38.0%