Bug 2245180 (CVE-2023-45142) - CVE-2023-45142 opentelemetry: DoS vulnerability in otelhttp
Summary: CVE-2023-45142 opentelemetry: DoS vulnerability in otelhttp
Keywords:
Status: NEW
Alias: CVE-2023-45142
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 2246579 2246647 2246648 2246649 2246650 2243562 2245181 2246580 2246581 2246582 2246583 2246584 2246585 2246586 2246587 2246588 2246589 2246590 2246622 2246623 2246624 2246651 2246652 2246653 2246654 2246655 2246656 2246657 2246658 2246659 2246660 2253046
Blocks: 2246594
TreeView+ depends on / blocked
 
Reported: 2023-10-19 22:13 UTC by Nick Tait
Modified: 2024-06-27 11:23 UTC (History)
51 users (show)

Fixed In Version: opentelemetry-go 0.44.0
Doc Type: If docs needed, set a value
Doc Text:
A memory leak was found in the otelhttp handler of open-telemetry. This flaw allows a remote, unauthenticated attacker to exhaust the server's memory by sending many malicious requests, affecting the availability.
Clone Of:
Environment:
Last Closed:
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2023:7197 0 None None None 2024-02-27 19:47:46 UTC
Red Hat Product Errata RHSA-2023:7198 0 None None None 2024-02-27 20:49:45 UTC
Red Hat Product Errata RHSA-2023:7469 0 None None None 2023-11-29 10:28:11 UTC
Red Hat Product Errata RHSA-2023:7470 0 None None None 2023-11-29 11:37:44 UTC
Red Hat Product Errata RHSA-2023:7555 0 None None None 2023-11-28 18:51:21 UTC
Red Hat Product Errata RHSA-2023:7599 0 None None None 2023-12-05 09:57:21 UTC
Red Hat Product Errata RHSA-2023:7663 0 None None None 2023-12-06 05:00:45 UTC
Red Hat Product Errata RHSA-2023:7681 0 None None None 2023-12-12 09:36:38 UTC
Red Hat Product Errata RHSA-2023:7682 0 None None None 2023-12-12 09:49:02 UTC
Red Hat Product Errata RHSA-2023:7831 0 None None None 2024-01-03 20:04:44 UTC
Red Hat Product Errata RHSA-2024:0041 0 None None None 2024-06-27 11:23:45 UTC
Red Hat Product Errata RHSA-2024:0050 0 None None None 2024-01-09 16:55:48 UTC
Red Hat Product Errata RHSA-2024:0204 0 None None None 2024-01-17 10:44:19 UTC
Red Hat Product Errata RHSA-2024:0641 0 None None None 2024-02-07 16:41:43 UTC
Red Hat Product Errata RHSA-2024:0642 0 None None None 2024-02-07 17:36:43 UTC
Red Hat Product Errata RHSA-2024:0660 0 None None None 2024-02-07 15:07:47 UTC
Red Hat Product Errata RHSA-2024:0766 0 None None None 2024-02-28 08:11:12 UTC
Red Hat Product Errata RHSA-2024:0833 0 None None None 2024-02-21 01:44:32 UTC
Red Hat Product Errata RHSA-2024:1328 0 None None None 2024-03-14 14:48:40 UTC
Red Hat Product Errata RHSA-2024:1859 0 None None None 2024-04-16 17:26:50 UTC
Red Hat Product Errata RHSA-2024:2773 0 None None None 2024-05-15 18:43:57 UTC
Red Hat Product Errata RHSA-2024:4118 0 None None None 2024-06-26 10:01:33 UTC

Description Nick Tait 2023-10-19 22:13:52 UTC
OpenTelemetry-Go Contrib is a collection of third-party packages for OpenTelemetry-Go. A handler wrapper out of the box adds labels `http.user_agent` and `http.method` that have unbound cardinality. It leads to the server's potential memory exhaustion when many malicious requests are sent to it. HTTP header User-Agent or HTTP method for requests can be easily set by an attacker to be random and long. The library internally uses `httpconv.ServerRequest` that records every value for HTTP `method` and `User-Agent`. In order to be affected, a program has to use the `otelhttp.NewHandler` wrapper and not filter any unknown HTTP methods or User agents on the level of CDN, LB, previous middleware, etc. Version 0.44.0 fixed this issue when the values collected for attribute `http.request.method` were changed to be restricted to a set of well-known values and other high cardinality attributes were removed. As a workaround to stop being affected, `otelhttp.WithFilter()` can be used, but it requires manual careful configuration to not log certain requests entirely. For convenience and safe usage of this library, it should by default mark with the label `unknown` non-standard HTTP methods and User agents to show that such requests were made but do not increase cardinality. In case someone wants to stay with the current behavior, library API should allow to enable it.

https://github.com/open-telemetry/opentelemetry-go-contrib/security/advisories/GHSA-rcjv-mgp8-qvmr
https://github.com/open-telemetry/opentelemetry-go-contrib/releases/tag/v1.19.0
https://github.com/open-telemetry/opentelemetry-go-contrib/pull/4277

Comment 1 Nick Tait 2023-10-19 22:14:04 UTC
Created golang-opentelemetry-contrib-0.20 tracking bugs for this issue:

Affects: fedora-all [bug 2245181]

Comment 5 Nick Tait 2023-10-27 15:32:46 UTC
Created caddy tracking bugs for this issue:

Affects: epel-8 [bug 2246579]
Affects: fedora-37 [bug 2246580]
Affects: fedora-38 [bug 2246587]


Created cri-o:1.26/cri-tools tracking bugs for this issue:

Affects: fedora-37 [bug 2246581]
Affects: fedora-38 [bug 2246588]


Created cri-o:1.27/cri-tools tracking bugs for this issue:

Affects: fedora-37 [bug 2246582]
Affects: fedora-38 [bug 2246589]


Created golang-github-quay-clair-4 tracking bugs for this issue:

Affects: fedora-37 [bug 2246583]


Created golang-k8s-apiextensions-apiserver tracking bugs for this issue:

Affects: fedora-38 [bug 2246590]


Created golang-k8s-kube-aggregator tracking bugs for this issue:

Affects: fedora-37 [bug 2246584]


Created golang-k8s-pod-security-admission tracking bugs for this issue:

Affects: fedora-37 [bug 2246585]


Created golang-k8s-sample-apiserver tracking bugs for this issue:

Affects: fedora-37 [bug 2246586]

Comment 34 errata-xmlrpc 2023-11-28 18:51:18 UTC
This issue has been addressed in the following products:

  OADP-1.3-RHEL-9

Via RHSA-2023:7555 https://access.redhat.com/errata/RHSA-2023:7555

Comment 35 errata-xmlrpc 2023-11-29 10:28:07 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.14

Via RHSA-2023:7469 https://access.redhat.com/errata/RHSA-2023:7469

Comment 36 errata-xmlrpc 2023-11-29 11:37:40 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.14

Via RHSA-2023:7470 https://access.redhat.com/errata/RHSA-2023:7470

Comment 37 errata-xmlrpc 2023-12-05 09:57:17 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.14

Via RHSA-2023:7599 https://access.redhat.com/errata/RHSA-2023:7599

Comment 39 Anten Skrabec 2023-12-05 18:56:52 UTC
Created caddy tracking bugs for this issue:

Affects: epel-8 [bug 2253046]

Comment 41 errata-xmlrpc 2023-12-06 05:00:41 UTC
This issue has been addressed in the following products:

  Red Hat Openshift distributed tracing 3.0

Via RHSA-2023:7663 https://access.redhat.com/errata/RHSA-2023:7663

Comment 42 errata-xmlrpc 2023-12-12 09:36:33 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.14

Via RHSA-2023:7681 https://access.redhat.com/errata/RHSA-2023:7681

Comment 43 errata-xmlrpc 2023-12-12 09:48:57 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.14

Via RHSA-2023:7682 https://access.redhat.com/errata/RHSA-2023:7682

Comment 44 errata-xmlrpc 2024-01-03 20:04:40 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.14

Via RHSA-2023:7831 https://access.redhat.com/errata/RHSA-2023:7831

Comment 45 errata-xmlrpc 2024-01-09 16:55:43 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.14

Via RHSA-2024:0050 https://access.redhat.com/errata/RHSA-2024:0050

Comment 48 errata-xmlrpc 2024-01-17 10:44:14 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.14

Via RHSA-2024:0204 https://access.redhat.com/errata/RHSA-2024:0204

Comment 49 errata-xmlrpc 2024-02-07 15:07:44 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.13

Via RHSA-2024:0660 https://access.redhat.com/errata/RHSA-2024:0660

Comment 50 errata-xmlrpc 2024-02-07 16:41:38 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.14

Via RHSA-2024:0641 https://access.redhat.com/errata/RHSA-2024:0641

Comment 51 errata-xmlrpc 2024-02-07 17:36:40 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.14

Via RHSA-2024:0642 https://access.redhat.com/errata/RHSA-2024:0642

Comment 52 errata-xmlrpc 2024-02-21 01:44:28 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.12

Via RHSA-2024:0833 https://access.redhat.com/errata/RHSA-2024:0833

Comment 55 errata-xmlrpc 2024-02-27 19:47:40 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.15

Via RHSA-2023:7197 https://access.redhat.com/errata/RHSA-2023:7197

Comment 60 errata-xmlrpc 2024-02-27 20:49:41 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.15

Via RHSA-2023:7198 https://access.redhat.com/errata/RHSA-2023:7198

Comment 61 errata-xmlrpc 2024-02-28 08:11:08 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.15

Via RHSA-2024:0766 https://access.redhat.com/errata/RHSA-2024:0766

Comment 62 errata-xmlrpc 2024-03-14 14:48:36 UTC
This issue has been addressed in the following products:

  Red Hat Advanced Cluster Management for Kubernetes 2.9 for RHEL 8

Via RHSA-2024:1328 https://access.redhat.com/errata/RHSA-2024:1328

Comment 63 errata-xmlrpc 2024-04-16 17:26:46 UTC
This issue has been addressed in the following products:

  OADP-1.3-RHEL-9

Via RHSA-2024:1859 https://access.redhat.com/errata/RHSA-2024:1859

Comment 64 errata-xmlrpc 2024-05-15 18:43:53 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.15

Via RHSA-2024:2773 https://access.redhat.com/errata/RHSA-2024:2773

Comment 65 errata-xmlrpc 2024-06-26 10:01:29 UTC
This issue has been addressed in the following products:

  Red Hat Ceph Storage 5.3

Via RHSA-2024:4118 https://access.redhat.com/errata/RHSA-2024:4118

Comment 66 errata-xmlrpc 2024-06-27 11:23:40 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.16

Via RHSA-2024:0041 https://access.redhat.com/errata/RHSA-2024:0041


Note You need to log in before you can comment on or make changes to this bug.