SUSE-SU-2024:3266-1 Security update for SUSE Manager Client Tools

This update fixes the following issues: golang-github-prometheus-prometheus: - Security issues fixed: CVE-2024-6104: Update go-retryablehttp to version 0.7.7 bsc1227038 CVE-2023-45142: Updated otelhttp to version 0.46.1 bsc1228556 - Require Go 1.20 for building - Migrate from disabled to manual...

SUSE SLES15 / openSUSE 15 Security Update : containerd (SUSE-SU-2024:3221-1)

The remote SUSE Linux SLES15 / SLESSAP15 / openSUSE 15 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2024:3221-1 advisory. - Update to containerd v1.7.21 - CVE-2023-47108: Fixed DoS vulnerability in otelgrpc uncontrolled resource consumptio...

SUSE-SU-2024:3188-1 Security update for containerd

This update for containerd fixes the following issues: - Update to containerd v1.7.21 - CVE-2023-47108: Fixed DoS vulnerability in otelgrpc uncontrolled resource consumption due to unbound cardinality metrics. bsc1217070 - CVE-2023-45142: Fixed DoS vulnerability in otelhttp. bsc1228553...

opentelemetry: DoS vulnerability in otelhttp

A memory leak was found in the otelhttp handler of open-telemetry. This flaw allows a remote, unauthenticated attacker to exhaust the server's memory by sending many malicious requests, affecting the availability...

Important: Red Hat Security Advisory: Red Hat OpenShift distributed tracing 3.0.0 operator/operand containers

Red Hat OpenShift distributed tracing 3.0.0 Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is available for each vulnerability from the CVE links in the...

CVE-2023-45142

A memory leak was found in the otelhttp handler of open-telemetry. This flaw allows a remote, unauthenticated attacker to exhaust the server's memory by sending many malicious requests, affecting the availability. Mitigation As a workaround to stop being affected otelhttp.WithFilter can be used...

OpenTelemetry-Go Contrib has DoS vulnerability in otelhttp due to unbound cardinality metrics

...

AZL-35119 CVE-2023-45142 affecting package prometheus-adapter for versions less than 0.12.0-1

OpenTelemetry-Go Contrib is a collection of third-party packages for OpenTelemetry-Go. A handler wrapper out of the box adds labels http.useragent and http.method that have unbound cardinality. It leads to the server's potential memory exhaustion when many malicious requests are sent to it. HTTP...

AZL-35116 CVE-2023-45142 affecting package prometheus for versions less than 2.45.4-1

OpenTelemetry-Go Contrib is a collection of third-party packages for OpenTelemetry-Go. A handler wrapper out of the box adds labels http.useragent and http.method that have unbound cardinality. It leads to the server's potential memory exhaustion when many malicious requests are sent to it. HTTP...

AZL-33516 CVE-2023-45142 affecting package opa for versions less than 0.63.0-1

OpenTelemetry-Go Contrib is a collection of third-party packages for OpenTelemetry-Go. A handler wrapper out of the box adds labels http.useragent and http.method that have unbound cardinality. It leads to the server's potential memory exhaustion when many malicious requests are sent to it. HTTP...

CVE-2023-45142 OpenTelemetry-Go Contrib has DoS vulnerability in otelhttp due to unbound cardinality metrics

OpenTelemetry-Go Contrib is a collection of third-party packages for OpenTelemetry-Go. A handler wrapper out of the box adds labels http.useragent and http.method that have unbound cardinality. It leads to the server's potential memory exhaustion when many malicious requests are sent to it. HTTP...

GO-2023-1546 Denial of service in go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp

The otelhttp package of opentelemetry-go-contrib is vulnerable to a denial-of-service attack. The otelhttp package uses the httpconv.ServerRequest function to annotate metric measurements for the http.server.requestcontentlength, http.server.responsecontentlength, and http.server.duration...

otelhttp and otelbeego have DoS vulnerability for high cardinality metrics

Impact The v0.38.0 release of go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp uses the httpconv.ServerRequest function to annotate metric measurements for the http.server.requestcontentlength, http.server.responsecontentlength, and http.server.duration instruments. The ServerRequest...