Bug 2251198 (CVE-2023-47108)

Summary: CVE-2023-47108 opentelemetry-go-contrib: DoS vulnerability in otelgrpc due to unbound cardinality metrics
Product: [Other] Security Response Reporter: Mauro Matteo Cascella <mcascell>
Component: vulnerabilityAssignee: Product Security <prodsec-ir-bot>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: alcohan, amctagga, anjoseph, aoconnor, bniver, dfreiber, dhanak, drow, dsimansk, dymurray, flucifre, gmeno, gparvin, jburrell, jkoehler, jmatthew, joelsmith, jprabhak, kingland, kverlaen, lbainbri, lball, lchilton, lphiri, manissin, matzew, mbenjamin, mhackett, mnovotny, mrajanna, mwringe, njean, odf-bz-bot, owatkins, pahickey, rguimara, rhaigner, rhuss, rjohnson, sakbas, sausingh, sfeifer, shbose, sostapov, teagle, vereddy, vkumar, whayutin, wtam
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: opentelemetry-go-contrib 0.46.0 Doc Type: If docs needed, set a value
Doc Text:
A memory exhaustion flaw was found in the otelgrpc handler of open-telemetry. This flaw may allow a remote unauthenticated attacker to flood the peer address and port and exhaust the server's memory by sending multiple malicious requests, affecting the availability of the system.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2251221, 2251222, 2251223, 2251224, 2251225, 2251226, 2251227, 2251228, 2251229, 2251230, 2251231, 2251232, 2251233, 2251234, 2251235, 2251236, 2251240, 2251241, 2251242, 2251243, 2251244, 2251245, 2254146, 2254147, 2280270, 2280271    
Bug Blocks: 2251201    

Description Mauro Matteo Cascella 2023-11-23 12:06:07 UTC 
OpenTelemetry-Go Contrib is a collection of third-party packages for OpenTelemetry-Go. Prior to version 0.46.0, the grpc Unary Server Interceptor out of the box adds labels `net.peer.sock.addr` and `net.peer.sock.port` that have unbound cardinality. It leads to the server's potential memory exhaustion when many malicious requests are sent. An attacker can easily flood the peer address and port for requests. Version 0.46.0 contains a fix for this issue. As a workaround to stop being affected, a view removing the attributes can be used. The other possibility is to disable grpc metrics instrumentation by passing `otelgrpc.WithMeterProvider` option with `noop.NewMeterProvider`.

GitHub Security Advisory:
https://github.com/open-telemetry/opentelemetry-go-contrib/security/advisories/GHSA-8pgv-569h-w5rw

Upstream PR & commit:
https://github.com/open-telemetry/opentelemetry-go-contrib/pull/4322
https://github.com/open-telemetry/opentelemetry-go-contrib/commit/b44dfc9092b157625a5815cb437583cee663333b
Comment 1 Mauro Matteo Cascella 2023-11-23 14:38:45 UTC 
Created containerd tracking bugs for this issue:

Affects: fedora-all [bug 2251221]


Created cri-o tracking bugs for this issue:

Affects: fedora-all [bug 2251223]


Created cri-o:1.24/cri-o tracking bugs for this issue:

Affects: fedora-all [bug 2251224]


Created cri-o:1.25/cri-o tracking bugs for this issue:

Affects: fedora-all [bug 2251225]


Created cri-o:1.26/cri-o tracking bugs for this issue:

Affects: fedora-all [bug 2251226]


Created cri-o:1.26/cri-tools tracking bugs for this issue:

Affects: fedora-all [bug 2251227]


Created cri-o:1.27/cri-o tracking bugs for this issue:

Affects: fedora-all [bug 2251228]


Created cri-o:1.27/cri-tools tracking bugs for this issue:

Affects: fedora-all [bug 2251229]


Created etcd tracking bugs for this issue:

Affects: fedora-all [bug 2251230]


Created golang-github-moby-buildkit tracking bugs for this issue:

Affects: fedora-all [bug 2251231]


Created golang-k8s-apiextensions-apiserver tracking bugs for this issue:

Affects: fedora-all [bug 2251232]


Created golang-k8s-kube-aggregator tracking bugs for this issue:

Affects: fedora-all [bug 2251233]


Created golang-k8s-pod-security-admission tracking bugs for this issue:

Affects: fedora-all [bug 2251234]


Created golang-k8s-sample-apiserver tracking bugs for this issue:

Affects: fedora-all [bug 2251235]


Created grafana tracking bugs for this issue:

Affects: fedora-all [bug 2251236]
Comment 6 errata-xmlrpc 2023-12-12 09:36:36 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.14

Via RHSA-2023:7681 https://access.redhat.com/errata/RHSA-2023:7681
Comment 7 Mauro Matteo Cascella 2023-12-12 09:55:18 UTC 
Created cri-o:1.23/cri-o tracking bugs for this issue:

Affects: fedora-all [bug 2254146]


Created golang-opentelemetry-contrib tracking bugs for this issue:

Affects: fedora-all [bug 2254147]
Comment 10 errata-xmlrpc 2024-01-03 20:04:40 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.14

Via RHSA-2023:7831 https://access.redhat.com/errata/RHSA-2023:7831
Comment 11 errata-xmlrpc 2024-01-17 10:44:13 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.14

Via RHSA-2024:0204 https://access.redhat.com/errata/RHSA-2024:0204
Comment 12 errata-xmlrpc 2024-01-17 17:43:26 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.14

Via RHSA-2024:0207 https://access.redhat.com/errata/RHSA-2024:0207
Comment 15 errata-xmlrpc 2024-01-24 06:05:22 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.13

Via RHSA-2024:0288 https://access.redhat.com/errata/RHSA-2024:0288
Comment 17 errata-xmlrpc 2024-01-31 16:37:30 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.12

Via RHSA-2024:0489 https://access.redhat.com/errata/RHSA-2024:0489
Comment 18 errata-xmlrpc 2024-02-07 17:36:40 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.14

Via RHSA-2024:0642 https://access.redhat.com/errata/RHSA-2024:0642
Comment 20 errata-xmlrpc 2024-02-14 06:34:37 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.13

Via RHSA-2024:0741 https://access.redhat.com/errata/RHSA-2024:0741
Comment 26 errata-xmlrpc 2024-02-27 19:47:50 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.15

Via RHSA-2023:7197 https://access.redhat.com/errata/RHSA-2023:7197
Comment 38 errata-xmlrpc 2024-02-27 20:49:50 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.15

Via RHSA-2023:7198 https://access.redhat.com/errata/RHSA-2023:7198
Comment 42 errata-xmlrpc 2024-02-27 22:28:25 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.15

Via RHSA-2023:7201 https://access.redhat.com/errata/RHSA-2023:7201
Comment 44 errata-xmlrpc 2024-02-28 08:11:05 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.15

Via RHSA-2024:0766 https://access.redhat.com/errata/RHSA-2024:0766
Comment 45 errata-xmlrpc 2024-03-14 14:48:37 UTC 
This issue has been addressed in the following products:

  Red Hat Advanced Cluster Management for Kubernetes 2.9 for RHEL 8

Via RHSA-2024:1328 https://access.redhat.com/errata/RHSA-2024:1328
Comment 46 errata-xmlrpc 2024-03-27 00:25:48 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.14

Via RHSA-2024:1458 https://access.redhat.com/errata/RHSA-2024:1458
Comment 47 errata-xmlrpc 2024-03-27 11:18:44 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.15

Via RHSA-2024:1449 https://access.redhat.com/errata/RHSA-2024:1449
Comment 48 errata-xmlrpc 2024-04-15 05:44:42 UTC 
This issue has been addressed in the following products:

  OpenShift Custom Metrics Autoscaler 2

Via RHSA-2024:1812 https://access.redhat.com/errata/RHSA-2024:1812
Comment 49 errata-xmlrpc 2024-04-25 15:50:48 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.15

Via RHSA-2024:1887 https://access.redhat.com/errata/RHSA-2024:1887
Comment 50 errata-xmlrpc 2024-04-26 12:38:36 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.14

Via RHSA-2024:1891 https://access.redhat.com/errata/RHSA-2024:1891
Comment 53 errata-xmlrpc 2024-05-15 18:43:53 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.15

Via RHSA-2024:2773 https://access.redhat.com/errata/RHSA-2024:2773
Comment 55 errata-xmlrpc 2024-05-21 09:37:49 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.15

Via RHSA-2024:2865 https://access.redhat.com/errata/RHSA-2024:2865
Comment 58 errata-xmlrpc 2024-06-27 11:23:44 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.16

Via RHSA-2024:0041 https://access.redhat.com/errata/RHSA-2024:0041
Comment 60 errata-xmlrpc 2024-07-17 13:11:28 UTC 
This issue has been addressed in the following products:

  RHODF-4.16-RHEL-9

Via RHSA-2024:4591 https://access.redhat.com/errata/RHSA-2024:4591
Comment 61 errata-xmlrpc 2024-08-22 11:41:37 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.14

Via RHSA-2024:5433 https://access.redhat.com/errata/RHSA-2024:5433
Comment 62 errata-xmlrpc 2024-09-03 18:24:30 UTC 
This issue has been addressed in the following products:

  Red Hat Advanced Cluster Management for Kubernetes 2.10 for RHEL 9

Via RHSA-2024:6236 https://access.redhat.com/errata/RHSA-2024:6236
Comment 63 errata-xmlrpc 2024-09-11 13:41:53 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.15

Via RHSA-2024:6409 https://access.redhat.com/errata/RHSA-2024:6409
Comment 64 errata-xmlrpc 2024-09-11 18:34:06 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.14

Via RHSA-2024:6406 https://access.redhat.com/errata/RHSA-2024:6406
Comment 65 errata-xmlrpc 2024-09-17 23:59:20 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.16

Via RHSA-2024:6632 https://access.redhat.com/errata/RHSA-2024:6632
Comment 66 errata-xmlrpc 2024-09-18 16:27:36 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.15

Via RHSA-2024:6637 https://access.redhat.com/errata/RHSA-2024:6637
Comment 67 errata-xmlrpc 2024-09-25 01:07:28 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.13

Via RHSA-2024:6811 https://access.redhat.com/errata/RHSA-2024:6811
Comment 68 errata-xmlrpc 2024-10-03 11:01:26 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.14

Via RHSA-2024:7184 https://access.redhat.com/errata/RHSA-2024:7184
Comment 69 errata-xmlrpc 2024-10-23 13:15:09 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.14

Via RHSA-2024:8235 https://access.redhat.com/errata/RHSA-2024:8235
Comment 70 errata-xmlrpc 2025-01-09 18:50:47 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.14

Via RHSA-2025:0029 https://access.redhat.com/errata/RHSA-2025:0029