Bug 2245180 (CVE-2023-45142)

Summary: CVE-2023-45142 opentelemetry: DoS vulnerability in otelhttp
Product: [Other] Security Response Reporter: Nick Tait <ntait>
Component: vulnerabilityAssignee: Product Security <prodsec-ir-bot>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: amasferr, amctagga, aoconnor, bdettelb, bniver, chazlett, dcadzow, dfreiber, dhanak, dkenigsb, dsimansk, dymurray, fdeutsch, flucifre, gmeno, gparvin, jburrell, jcantril, jkoehler, jmatthew, joelsmith, kverlaen, lball, matzew, mbenjamin, mbiarnes, mhackett, mkudlej, mnovotny, mrajanna, mwringe, njean, odf-bz-bot, oramraz, owatkins, pahickey, phoracek, rguimara, rhaigner, rhuss, rjohnson, rogbas, smullick, sostapov, teagle, tjochec, vereddy, vkumar, whayutin
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: opentelemetry-go 0.44.0 Doc Type: If docs needed, set a value
Doc Text:
A memory leak was found in the otelhttp handler of open-telemetry. This flaw allows a remote, unauthenticated attacker to exhaust the server's memory by sending many malicious requests, affecting the availability.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2246579, 2246647, 2246648, 2246649, 2246650, 2243562, 2245181, 2246580, 2246581, 2246582, 2246583, 2246584, 2246585, 2246586, 2246587, 2246588, 2246589, 2246590, 2246622, 2246623, 2246624, 2246651, 2246652, 2246653, 2246654, 2246655, 2246656, 2246657, 2246658, 2246659, 2246660, 2253046    
Bug Blocks: 2246594    

Description Nick Tait 2023-10-19 22:13:52 UTC 
OpenTelemetry-Go Contrib is a collection of third-party packages for OpenTelemetry-Go. A handler wrapper out of the box adds labels `http.user_agent` and `http.method` that have unbound cardinality. It leads to the server's potential memory exhaustion when many malicious requests are sent to it. HTTP header User-Agent or HTTP method for requests can be easily set by an attacker to be random and long. The library internally uses `httpconv.ServerRequest` that records every value for HTTP `method` and `User-Agent`. In order to be affected, a program has to use the `otelhttp.NewHandler` wrapper and not filter any unknown HTTP methods or User agents on the level of CDN, LB, previous middleware, etc. Version 0.44.0 fixed this issue when the values collected for attribute `http.request.method` were changed to be restricted to a set of well-known values and other high cardinality attributes were removed. As a workaround to stop being affected, `otelhttp.WithFilter()` can be used, but it requires manual careful configuration to not log certain requests entirely. For convenience and safe usage of this library, it should by default mark with the label `unknown` non-standard HTTP methods and User agents to show that such requests were made but do not increase cardinality. In case someone wants to stay with the current behavior, library API should allow to enable it.

https://github.com/open-telemetry/opentelemetry-go-contrib/security/advisories/GHSA-rcjv-mgp8-qvmr
https://github.com/open-telemetry/opentelemetry-go-contrib/releases/tag/v1.19.0
https://github.com/open-telemetry/opentelemetry-go-contrib/pull/4277
Comment 1 Nick Tait 2023-10-19 22:14:04 UTC 
Created golang-opentelemetry-contrib-0.20 tracking bugs for this issue:

Affects: fedora-all [bug 2245181]
Comment 5 Nick Tait 2023-10-27 15:32:46 UTC 
Created caddy tracking bugs for this issue:

Affects: epel-8 [bug 2246579]
Affects: fedora-37 [bug 2246580]
Affects: fedora-38 [bug 2246587]


Created cri-o:1.26/cri-tools tracking bugs for this issue:

Affects: fedora-37 [bug 2246581]
Affects: fedora-38 [bug 2246588]


Created cri-o:1.27/cri-tools tracking bugs for this issue:

Affects: fedora-37 [bug 2246582]
Affects: fedora-38 [bug 2246589]


Created golang-github-quay-clair-4 tracking bugs for this issue:

Affects: fedora-37 [bug 2246583]


Created golang-k8s-apiextensions-apiserver tracking bugs for this issue:

Affects: fedora-38 [bug 2246590]


Created golang-k8s-kube-aggregator tracking bugs for this issue:

Affects: fedora-37 [bug 2246584]


Created golang-k8s-pod-security-admission tracking bugs for this issue:

Affects: fedora-37 [bug 2246585]


Created golang-k8s-sample-apiserver tracking bugs for this issue:

Affects: fedora-37 [bug 2246586]
Comment 34 errata-xmlrpc 2023-11-28 18:51:18 UTC 
This issue has been addressed in the following products:

  OADP-1.3-RHEL-9

Via RHSA-2023:7555 https://access.redhat.com/errata/RHSA-2023:7555
Comment 35 errata-xmlrpc 2023-11-29 10:28:07 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.14

Via RHSA-2023:7469 https://access.redhat.com/errata/RHSA-2023:7469
Comment 36 errata-xmlrpc 2023-11-29 11:37:40 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.14

Via RHSA-2023:7470 https://access.redhat.com/errata/RHSA-2023:7470
Comment 37 errata-xmlrpc 2023-12-05 09:57:17 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.14

Via RHSA-2023:7599 https://access.redhat.com/errata/RHSA-2023:7599
Comment 39 Anten Skrabec 2023-12-05 18:56:52 UTC 
Created caddy tracking bugs for this issue:

Affects: epel-8 [bug 2253046]
Comment 41 errata-xmlrpc 2023-12-06 05:00:41 UTC 
This issue has been addressed in the following products:

  Red Hat Openshift distributed tracing 3.0

Via RHSA-2023:7663 https://access.redhat.com/errata/RHSA-2023:7663
Comment 42 errata-xmlrpc 2023-12-12 09:36:33 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.14

Via RHSA-2023:7681 https://access.redhat.com/errata/RHSA-2023:7681
Comment 43 errata-xmlrpc 2023-12-12 09:48:57 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.14

Via RHSA-2023:7682 https://access.redhat.com/errata/RHSA-2023:7682
Comment 44 errata-xmlrpc 2024-01-03 20:04:40 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.14

Via RHSA-2023:7831 https://access.redhat.com/errata/RHSA-2023:7831
Comment 45 errata-xmlrpc 2024-01-09 16:55:43 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.14

Via RHSA-2024:0050 https://access.redhat.com/errata/RHSA-2024:0050
Comment 48 errata-xmlrpc 2024-01-17 10:44:14 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.14

Via RHSA-2024:0204 https://access.redhat.com/errata/RHSA-2024:0204
Comment 49 errata-xmlrpc 2024-02-07 15:07:44 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.13

Via RHSA-2024:0660 https://access.redhat.com/errata/RHSA-2024:0660
Comment 50 errata-xmlrpc 2024-02-07 16:41:38 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.14

Via RHSA-2024:0641 https://access.redhat.com/errata/RHSA-2024:0641
Comment 51 errata-xmlrpc 2024-02-07 17:36:40 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.14

Via RHSA-2024:0642 https://access.redhat.com/errata/RHSA-2024:0642
Comment 52 errata-xmlrpc 2024-02-21 01:44:28 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.12

Via RHSA-2024:0833 https://access.redhat.com/errata/RHSA-2024:0833
Comment 55 errata-xmlrpc 2024-02-27 19:47:40 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.15

Via RHSA-2023:7197 https://access.redhat.com/errata/RHSA-2023:7197
Comment 60 errata-xmlrpc 2024-02-27 20:49:41 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.15

Via RHSA-2023:7198 https://access.redhat.com/errata/RHSA-2023:7198
Comment 61 errata-xmlrpc 2024-02-28 08:11:08 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.15

Via RHSA-2024:0766 https://access.redhat.com/errata/RHSA-2024:0766
Comment 62 errata-xmlrpc 2024-03-14 14:48:36 UTC 
This issue has been addressed in the following products:

  Red Hat Advanced Cluster Management for Kubernetes 2.9 for RHEL 8

Via RHSA-2024:1328 https://access.redhat.com/errata/RHSA-2024:1328
Comment 63 errata-xmlrpc 2024-04-16 17:26:46 UTC 
This issue has been addressed in the following products:

  OADP-1.3-RHEL-9

Via RHSA-2024:1859 https://access.redhat.com/errata/RHSA-2024:1859
Comment 64 errata-xmlrpc 2024-05-15 18:43:53 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.15

Via RHSA-2024:2773 https://access.redhat.com/errata/RHSA-2024:2773
Comment 65 errata-xmlrpc 2024-06-26 10:01:29 UTC 
This issue has been addressed in the following products:

  Red Hat Ceph Storage 5.3

Via RHSA-2024:4118 https://access.redhat.com/errata/RHSA-2024:4118
Comment 66 errata-xmlrpc 2024-06-27 11:23:40 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.16

Via RHSA-2024:0041 https://access.redhat.com/errata/RHSA-2024:0041
Comment 67 errata-xmlrpc 2024-08-22 11:41:48 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.14

Via RHSA-2024:5433 https://access.redhat.com/errata/RHSA-2024:5433
Comment 68 errata-xmlrpc 2024-09-03 18:24:26 UTC 
This issue has been addressed in the following products:

  Red Hat Advanced Cluster Management for Kubernetes 2.10 for RHEL 9

Via RHSA-2024:6236 https://access.redhat.com/errata/RHSA-2024:6236
Comment 69 errata-xmlrpc 2024-09-11 18:34:06 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.14

Via RHSA-2024:6406 https://access.redhat.com/errata/RHSA-2024:6406
Comment 70 errata-xmlrpc 2024-09-25 01:07:17 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.13

Via RHSA-2024:6811 https://access.redhat.com/errata/RHSA-2024:6811
Comment 71 errata-xmlrpc 2024-10-15 15:24:13 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.17

Via RHSA-2024:7921 https://access.redhat.com/errata/RHSA-2024:7921
Comment 72 errata-xmlrpc 2024-11-13 18:34:59 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.15

Via RHSA-2024:8991 https://access.redhat.com/errata/RHSA-2024:8991