Bug 2245180 (CVE-2023-45142) - CVE-2023-45142 opentelemetry: DoS vulnerability in otelhttp
Summary: CVE-2023-45142 opentelemetry: DoS vulnerability in otelhttp
Keywords:
Status: NEW
Alias: CVE-2023-45142
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 2246579 2246647 2246648 2246649 2246650 2243562 2245181 2246580 2246581 2246582 2246583 2246584 2246585 2246586 2246587 2246588 2246589 2246590 2246622 2246623 2246624 2246651 2246652 2246653 2246654 2246655 2246656 2246657 2246658 2246659 2246660 2253046
Blocks: 2246594
TreeView+ depends on / blocked
 
Reported: 2023-10-19 22:13 UTC by Nick Tait
Modified: 2025-05-06 08:28 UTC (History)
49 users (show)

Fixed In Version: opentelemetry-go 0.44.0
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2023:7197 0 None None None 2024-02-27 19:47:46 UTC
Red Hat Product Errata RHSA-2023:7198 0 None None None 2024-02-27 20:49:45 UTC
Red Hat Product Errata RHSA-2023:7469 0 None None None 2023-11-29 10:28:11 UTC
Red Hat Product Errata RHSA-2023:7470 0 None None None 2023-11-29 11:37:44 UTC
Red Hat Product Errata RHSA-2023:7555 0 None None None 2023-11-28 18:51:21 UTC
Red Hat Product Errata RHSA-2023:7599 0 None None None 2023-12-05 09:57:21 UTC
Red Hat Product Errata RHSA-2023:7663 0 None None None 2023-12-06 05:00:45 UTC
Red Hat Product Errata RHSA-2023:7681 0 None None None 2023-12-12 09:36:38 UTC
Red Hat Product Errata RHSA-2023:7682 0 None None None 2023-12-12 09:49:02 UTC
Red Hat Product Errata RHSA-2023:7831 0 None None None 2024-01-03 20:04:44 UTC
Red Hat Product Errata RHSA-2024:0041 0 None None None 2024-06-27 11:23:45 UTC
Red Hat Product Errata RHSA-2024:0050 0 None None None 2024-01-09 16:55:48 UTC
Red Hat Product Errata RHSA-2024:0204 0 None None None 2024-01-17 10:44:19 UTC
Red Hat Product Errata RHSA-2024:0641 0 None None None 2024-02-07 16:41:43 UTC
Red Hat Product Errata RHSA-2024:0642 0 None None None 2024-02-07 17:36:43 UTC
Red Hat Product Errata RHSA-2024:0660 0 None None None 2024-02-07 15:07:47 UTC
Red Hat Product Errata RHSA-2024:0766 0 None None None 2024-02-28 08:11:12 UTC
Red Hat Product Errata RHSA-2024:0833 0 None None None 2024-02-21 01:44:32 UTC
Red Hat Product Errata RHSA-2024:1328 0 None None None 2024-03-14 14:48:40 UTC
Red Hat Product Errata RHSA-2024:1859 0 None None None 2024-04-16 17:26:50 UTC
Red Hat Product Errata RHSA-2024:2773 0 None None None 2024-05-15 18:43:57 UTC
Red Hat Product Errata RHSA-2024:4118 0 None None None 2024-06-26 10:01:33 UTC
Red Hat Product Errata RHSA-2024:5433 0 None None None 2024-08-22 11:41:53 UTC
Red Hat Product Errata RHSA-2024:6236 0 None None None 2024-09-03 18:24:31 UTC
Red Hat Product Errata RHSA-2024:6406 0 None None None 2024-09-11 18:34:11 UTC
Red Hat Product Errata RHSA-2024:6811 0 None None None 2024-09-25 01:07:22 UTC
Red Hat Product Errata RHSA-2024:7921 0 None None None 2024-10-15 15:24:18 UTC
Red Hat Product Errata RHSA-2024:8991 0 None None None 2024-11-13 18:35:04 UTC

Description Nick Tait 2023-10-19 22:13:52 UTC 
OpenTelemetry-Go Contrib is a collection of third-party packages for OpenTelemetry-Go. A handler wrapper out of the box adds labels `http.user_agent` and `http.method` that have unbound cardinality. It leads to the server's potential memory exhaustion when many malicious requests are sent to it. HTTP header User-Agent or HTTP method for requests can be easily set by an attacker to be random and long. The library internally uses `httpconv.ServerRequest` that records every value for HTTP `method` and `User-Agent`. In order to be affected, a program has to use the `otelhttp.NewHandler` wrapper and not filter any unknown HTTP methods or User agents on the level of CDN, LB, previous middleware, etc. Version 0.44.0 fixed this issue when the values collected for attribute `http.request.method` were changed to be restricted to a set of well-known values and other high cardinality attributes were removed. As a workaround to stop being affected, `otelhttp.WithFilter()` can be used, but it requires manual careful configuration to not log certain requests entirely. For convenience and safe usage of this library, it should by default mark with the label `unknown` non-standard HTTP methods and User agents to show that such requests were made but do not increase cardinality. In case someone wants to stay with the current behavior, library API should allow to enable it.

https://github.com/open-telemetry/opentelemetry-go-contrib/security/advisories/GHSA-rcjv-mgp8-qvmr
https://github.com/open-telemetry/opentelemetry-go-contrib/releases/tag/v1.19.0
https://github.com/open-telemetry/opentelemetry-go-contrib/pull/4277
Comment 1 Nick Tait 2023-10-19 22:14:04 UTC 
Created golang-opentelemetry-contrib-0.20 tracking bugs for this issue:

Affects: fedora-all [bug 2245181]
Comment 5 Nick Tait 2023-10-27 15:32:46 UTC 
Created caddy tracking bugs for this issue:

Affects: epel-8 [bug 2246579]
Affects: fedora-37 [bug 2246580]
Affects: fedora-38 [bug 2246587]


Created cri-o:1.26/cri-tools tracking bugs for this issue:

Affects: fedora-37 [bug 2246581]
Affects: fedora-38 [bug 2246588]


Created cri-o:1.27/cri-tools tracking bugs for this issue:

Affects: fedora-37 [bug 2246582]
Affects: fedora-38 [bug 2246589]


Created golang-github-quay-clair-4 tracking bugs for this issue:

Affects: fedora-37 [bug 2246583]


Created golang-k8s-apiextensions-apiserver tracking bugs for this issue:

Affects: fedora-38 [bug 2246590]


Created golang-k8s-kube-aggregator tracking bugs for this issue:

Affects: fedora-37 [bug 2246584]


Created golang-k8s-pod-security-admission tracking bugs for this issue:

Affects: fedora-37 [bug 2246585]


Created golang-k8s-sample-apiserver tracking bugs for this issue:

Affects: fedora-37 [bug 2246586]
Comment 34 errata-xmlrpc 2023-11-28 18:51:18 UTC 
This issue has been addressed in the following products:

  OADP-1.3-RHEL-9

Via RHSA-2023:7555 https://access.redhat.com/errata/RHSA-2023:7555
Comment 35 errata-xmlrpc 2023-11-29 10:28:07 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.14

Via RHSA-2023:7469 https://access.redhat.com/errata/RHSA-2023:7469
Comment 36 errata-xmlrpc 2023-11-29 11:37:40 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.14

Via RHSA-2023:7470 https://access.redhat.com/errata/RHSA-2023:7470
Comment 37 errata-xmlrpc 2023-12-05 09:57:17 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.14

Via RHSA-2023:7599 https://access.redhat.com/errata/RHSA-2023:7599
Comment 39 Anten Skrabec 2023-12-05 18:56:52 UTC 
Created caddy tracking bugs for this issue:

Affects: epel-8 [bug 2253046]
Comment 41 errata-xmlrpc 2023-12-06 05:00:41 UTC 
This issue has been addressed in the following products:

  Red Hat Openshift distributed tracing 3.0

Via RHSA-2023:7663 https://access.redhat.com/errata/RHSA-2023:7663
Comment 42 errata-xmlrpc 2023-12-12 09:36:33 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.14

Via RHSA-2023:7681 https://access.redhat.com/errata/RHSA-2023:7681
Comment 43 errata-xmlrpc 2023-12-12 09:48:57 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.14

Via RHSA-2023:7682 https://access.redhat.com/errata/RHSA-2023:7682
Comment 44 errata-xmlrpc 2024-01-03 20:04:40 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.14

Via RHSA-2023:7831 https://access.redhat.com/errata/RHSA-2023:7831
Comment 45 errata-xmlrpc 2024-01-09 16:55:43 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.14

Via RHSA-2024:0050 https://access.redhat.com/errata/RHSA-2024:0050
Comment 48 errata-xmlrpc 2024-01-17 10:44:14 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.14

Via RHSA-2024:0204 https://access.redhat.com/errata/RHSA-2024:0204
Comment 49 errata-xmlrpc 2024-02-07 15:07:44 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.13

Via RHSA-2024:0660 https://access.redhat.com/errata/RHSA-2024:0660
Comment 50 errata-xmlrpc 2024-02-07 16:41:38 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.14

Via RHSA-2024:0641 https://access.redhat.com/errata/RHSA-2024:0641
Comment 51 errata-xmlrpc 2024-02-07 17:36:40 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.14

Via RHSA-2024:0642 https://access.redhat.com/errata/RHSA-2024:0642
Comment 52 errata-xmlrpc 2024-02-21 01:44:28 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.12

Via RHSA-2024:0833 https://access.redhat.com/errata/RHSA-2024:0833
Comment 55 errata-xmlrpc 2024-02-27 19:47:40 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.15

Via RHSA-2023:7197 https://access.redhat.com/errata/RHSA-2023:7197
Comment 60 errata-xmlrpc 2024-02-27 20:49:41 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.15

Via RHSA-2023:7198 https://access.redhat.com/errata/RHSA-2023:7198
Comment 61 errata-xmlrpc 2024-02-28 08:11:08 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.15

Via RHSA-2024:0766 https://access.redhat.com/errata/RHSA-2024:0766
Comment 62 errata-xmlrpc 2024-03-14 14:48:36 UTC 
This issue has been addressed in the following products:

  Red Hat Advanced Cluster Management for Kubernetes 2.9 for RHEL 8

Via RHSA-2024:1328 https://access.redhat.com/errata/RHSA-2024:1328
Comment 63 errata-xmlrpc 2024-04-16 17:26:46 UTC 
This issue has been addressed in the following products:

  OADP-1.3-RHEL-9

Via RHSA-2024:1859 https://access.redhat.com/errata/RHSA-2024:1859
Comment 64 errata-xmlrpc 2024-05-15 18:43:53 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.15

Via RHSA-2024:2773 https://access.redhat.com/errata/RHSA-2024:2773
Comment 65 errata-xmlrpc 2024-06-26 10:01:29 UTC 
This issue has been addressed in the following products:

  Red Hat Ceph Storage 5.3

Via RHSA-2024:4118 https://access.redhat.com/errata/RHSA-2024:4118
Comment 66 errata-xmlrpc 2024-06-27 11:23:40 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.16

Via RHSA-2024:0041 https://access.redhat.com/errata/RHSA-2024:0041
Comment 67 errata-xmlrpc 2024-08-22 11:41:48 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.14

Via RHSA-2024:5433 https://access.redhat.com/errata/RHSA-2024:5433
Comment 68 errata-xmlrpc 2024-09-03 18:24:26 UTC 
This issue has been addressed in the following products:

  Red Hat Advanced Cluster Management for Kubernetes 2.10 for RHEL 9

Via RHSA-2024:6236 https://access.redhat.com/errata/RHSA-2024:6236
Comment 69 errata-xmlrpc 2024-09-11 18:34:06 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.14

Via RHSA-2024:6406 https://access.redhat.com/errata/RHSA-2024:6406
Comment 70 errata-xmlrpc 2024-09-25 01:07:17 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.13

Via RHSA-2024:6811 https://access.redhat.com/errata/RHSA-2024:6811
Comment 71 errata-xmlrpc 2024-10-15 15:24:13 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.17

Via RHSA-2024:7921 https://access.redhat.com/errata/RHSA-2024:7921
Comment 72 errata-xmlrpc 2024-11-13 18:34:59 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.15

Via RHSA-2024:8991 https://access.redhat.com/errata/RHSA-2024:8991
Note You need to log in before you can comment on or make changes to this bug.