Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
osvGoogleOSV:GHSA-RCJV-MGP8-QVMR
HistoryOct 16, 2023 - 2:01 p.m.

OpenTelemetry-Go Contrib vulnerable to denial of service in otelhttp due to unbound cardinality metrics

2023-10-1614:01:54
Google
osv.dev
10

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

7.5 High

AI Score

Confidence

High

5 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:N/I:N/A:P

0.005 Low

EPSS

Percentile

75.4%

JSON

Summary

This handler wrapper https://github.com/open-telemetry/opentelemetry-go-contrib/blob/5f7e6ad5a49b45df45f61a1deb29d7f1158032df/instrumentation/net/http/otelhttp/handler.go#L63-L65
out of the box adds labels

  • http.user_agent
  • http.method

that have unbound cardinality. It leads to the server’s potential memory exhaustion when many malicious requests are sent to it.

Details

HTTP header User-Agent or HTTP method for requests can be easily set by an attacker to be random and long. The library internally uses httpconv.ServerRequest that records every value for HTTP method and User-Agent.

PoC

Send many requests with long randomly generated HTTP methods or/and User agents (e.g. a million) and observe how memory consumption increases during it.

Impact

In order to be affected, the program has to configure a metrics pipeline, use otelhttp.NewHandler wrapper, and does not filter any unknown HTTP methods or User agents on the level of CDN, LB, previous middleware, etc.

Others

It is similar to already reported vulnerabilities

Workaround for affected versions

As a workaround to stop being affected otelhttp.WithFilter() can be used, but it requires manual careful configuration to not log certain requests entirely.

For convenience and safe usage of this library, it should by default mark with the label unknown non-standard HTTP methods and User agents to show that such requests were made but do not increase cardinality. In case someone wants to stay with the current behavior, library API should allow to enable it.

The other possibility is to disable HTTP metrics instrumentation by passing otelhttp.WithMeterProvider option with noop.NewMeterProvider.

Solution provided by upgrading

In PR https://github.com/open-telemetry/opentelemetry-go-contrib/pull/4277, released with package version 0.44.0, the values collected for attribute http.request.method were changed to be restricted to a set of well-known values and other high cardinality attributes were removed.

References

References

Related

osv 8
prion 3
redhatcve 3
gitlab 9
github 3
cve 3
veracode 3
nessus 24
cgr 2
openvas 46
cbl_mariner 18
fedora 33
wolfi 2
alpinelinux 2
ibm 3
suse 7
redhat 25
debiancve 1
mageia 1
ubuntucve 1
amazon 2
osv
osv
Uncontrolled Resource Consumption in promhttp
2022-02-16 22:26:35
CVE-2023-25151
2023-02-08 20:15:24
CVE-2022-21698
2022-02-15 16:15:08
prion
prion
Design/Logic Flaw
2023-02-08 20:15:00
Design/Logic Flaw
2023-10-12 17:15:00
Design/Logic Flaw
2022-02-15 16:15:00
redhatcve
redhatcve
CVE-2023-25151
2023-02-22 01:31:22
CVE-2023-45142
2023-10-27 22:28:41
CVE-2022-21698
2022-02-15 17:20:06
gitlab
gitlab
Uncontrolled Resource Consumption
2023-02-08 00:00:00
Uncontrolled Resource Consumption
2023-02-08 00:00:00
Allocation of Resources Without Limits or Throttling
2023-10-16 00:00:00
github
github
otelhttp and otelbeego have DoS vulnerability for high cardinality metrics
2023-02-08 22:32:16
OpenTelemetry-Go Contrib vulnerable to denial of service in otelhttp due to unbound cardinality metrics
2023-10-16 14:01:54
Uncontrolled Resource Consumption in promhttp
2022-02-16 22:26:35
cve
cve
CVE-2023-25151
2023-02-08 20:15:24
CVE-2023-45142
2023-10-12 17:15:09
CVE-2022-21698
2022-02-15 16:15:00
veracode
veracode
Denial Of Service (DoS)
2023-02-10 09:48:31
Denial Of Service
2023-10-13 12:27:54
Denial Of Service (DoS)
2022-02-16 07:17:26
nessus
nessus
Fedora 39 : caddy (2024-22b915e51a)
2024-02-19 00:00:00
Fedora 40 : caddy (2024-19d093c14d)
2024-04-29 00:00:00
Fedora 39 : golang-github-prometheus-alertmanager (2023-0c6723004f)
2023-11-07 00:00:00
cgr
cgr
CVE-2023-45142 vulnerabilities
2024-05-03 09:06:23
CVE-2022-21698 vulnerabilities
2024-05-03 09:06:23
openvas
openvas
Fedora: Security Advisory for caddy (FEDORA-2024-22b915e51a)
2024-02-20 00:00:00
SUSE: Security Advisory (SUSE-SU-2022:3745-1)
2022-10-27 00:00:00
SUSE: Security Advisory (SUSE-SU-2022:1435-1)
2022-04-28 00:00:00
cbl_mariner
cbl_mariner
CVE-2023-45142 affecting package kubernetes for versions less than 1.29.1-2
2024-03-19 17:21:46
CVE-2023-45142 affecting package prometheus for versions less than 2.45.4-1
2024-04-17 22:02:46
CVE-2023-45142 affecting package opa for versions less than 0.63.0-1
2024-04-10 21:48:40
fedora
fedora
[SECURITY] Fedora 39 Update: caddy-2.7.6-1.fc39
2024-02-19 02:29:13
[SECURITY] Fedora 34 Update: stargz-snapshotter-0.10.2-1.fc34
2022-04-14 16:06:55
[SECURITY] Fedora 36 Update: skopeo-1.7.0-1.fc36
2022-03-29 00:20:58
wolfi
wolfi
CVE-2023-45142 vulnerabilities
2024-05-03 09:06:24
CVE-2022-21698 vulnerabilities
2024-05-03 09:06:24
alpinelinux
alpinelinux
CVE-2023-45142
2023-10-12 17:15:09
CVE-2022-21698
2022-02-15 16:15:00
ibm
ibm
Security Bulletin: IBM Cloud Pak for Data Scheduling is vulnerable to denial of service due to OpenTelemetry go module ( CVE-2023-45142, CVE-2023-47108 )
2024-03-20 17:49:09
Security Bulletin: CVE-2022-27664, CVE-2022-21698, CVE-2021-43565 and CVE-2022-27191 may affect IBM CICS TX Standard
2023-03-29 19:03:37
Security Bulletin: Multiple Security Vulnerabilities may affect IBM Robotic Process Automation for Cloud Pak
2022-08-20 18:32:48
suse
suse
Security update for golang-github-prometheus-alertmanager (important)
2022-06-20 00:00:00
Security update for node_exporter (important)
2022-06-20 00:00:00
Security update for golang-github-prometheus-node_exporter (moderate)
2022-10-26 00:00:00
redhat
redhat
(RHSA-2022:4667) Moderate: OpenShift Virtualization 4.10.1 RPMs security and bug fix update
2022-05-18 15:34:20
(RHSA-2023:2014) Moderate: OpenShift Container Platform 4.11.39 bug fix and security update
2023-05-02 01:50:20
(RHSA-2023:7682) Important: OpenShift Container Platform 4.14.6 bug fix and security update
2023-12-12 09:45:19
debiancve
debiancve
CVE-2022-21698
2022-02-15 16:15:00
mageia
mageia
Updated golang-github-prometheus-client packages fix security vulnerability
2022-05-15 13:06:40
ubuntucve
ubuntucve
CVE-2022-21698
2022-02-15 00:00:00
amazon
amazon
Important: cri-tools
2024-02-01 19:57:00
Important: amazon-cloudwatch-agent
2024-01-19 01:51:00

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

7.5 High

AI Score

Confidence

High

5 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:N/I:N/A:P

0.005 Low

EPSS

Percentile

75.4%

JSON
Related for OSV:GHSA-RCJV-MGP8-QVMR
osv8prion3redhatcve3gitlab9github3cve3veracode3nessus24cgr2openvas46cbl_mariner18fedora33wolfi2alpinelinux2ibm3suse7redhat25debiancve1mageia1ubuntucve1amazon2