K000138255 : Go OpenTelemetry Contrib vulnerability CVE-2023-47108

2024-01-1600:00:00

my.f5.com

opentelemetry-go

contrib

vulnerability

grpc

unary server interceptor

memory exhaustion

malicious requests

fix

workaround

disable metrics

6.5 Medium

AI Score

Confidence

Low

0.001 Low

EPSS

Percentile

38.0%

JSON

Security Advisory Description

OpenTelemetry-Go Contrib is a collection of third-party packages for OpenTelemetry-Go. Prior to version 0.46.0, the grpc Unary Server Interceptor out of the box adds labels net.peer.sock.addr and net.peer.sock.port that have unbound cardinality. It leads to the server’s potential memory exhaustion when many malicious requests are sent. An attacker can easily flood the peer address and port for requests. Version 0.46.0 contains a fix for this issue. As a workaround to stop being affected, a view removing the attributes can be used. The other possibility is to disable grpc metrics instrumentation by passing otelgrpc.WithMeterProvider option with noop.NewMeterProvider. (CVE-2023-47108)

Impact

There is no impact; F5 products are not affected by this vulnerability.

CPENameOperatorVersion
f5 ssl orchestratoreq15.1.0
f5 ssl orchestratoreq15.1.1
f5 ssl orchestratoreq15.1.9
f5 ssl orchestratoreq16.1.0
f5 ssl orchestratoreq16.1.1
f5 ssl orchestratoreq16.1.3
f5 ssl orchestratoreq16.1.4
f5 ssl orchestratoreq17.1.0
f5 ssl orchestratoreq17.1.1
big-ip next cgnat cnfeq1.1.0

Name	Operator	Version
f5 ssl orchestrator	eq	15.1.0
f5 ssl orchestrator	eq	15.1.1
f5 ssl orchestrator	eq	15.1.9
f5 ssl orchestrator	eq	16.1.0
f5 ssl orchestrator	eq	16.1.1
f5 ssl orchestrator	eq	16.1.3
f5 ssl orchestrator	eq	16.1.4
f5 ssl orchestrator	eq	17.1.0
f5 ssl orchestrator	eq	17.1.1
big-ip next cgnat cnf	eq	1.1.0