Bug 2251198 (CVE-2023-47108) - CVE-2023-47108 opentelemetry-go-contrib: DoS vulnerability in otelgrpc due to unbound cardinality metrics
Summary: CVE-2023-47108 opentelemetry-go-contrib: DoS vulnerability in otelgrpc due to...
Keywords:
Status: NEW
Alias: CVE-2023-47108
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 2251221 2251222 2251223 2251224 2251225 2251226 2251227 2251228 2251229 2251230 2251231 2251232 2251233 2251234 2251235 2251236 2251240 2251241 2251242 2251243 2251244 2251245 2254146 2254147 2280270 2280271
Blocks: 2251201
TreeView+ depends on / blocked
 
Reported: 2023-11-23 12:06 UTC by Mauro Matteo Cascella
Modified: 2025-05-06 20:28 UTC (History)
49 users (show)

Fixed In Version: opentelemetry-go-contrib 0.46.0
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2023:7197 0 None None None 2024-02-27 19:47:52 UTC
Red Hat Product Errata RHSA-2023:7198 0 None None None 2024-02-27 20:49:53 UTC
Red Hat Product Errata RHSA-2023:7201 0 None None None 2024-02-27 22:28:27 UTC
Red Hat Product Errata RHSA-2023:7681 0 None None None 2023-12-12 09:36:39 UTC
Red Hat Product Errata RHSA-2023:7831 0 None None None 2024-01-03 20:04:42 UTC
Red Hat Product Errata RHSA-2024:0041 0 None None None 2024-06-27 11:23:49 UTC
Red Hat Product Errata RHSA-2024:0204 0 None None None 2024-01-17 10:44:15 UTC
Red Hat Product Errata RHSA-2024:0207 0 None None None 2024-01-17 17:43:28 UTC
Red Hat Product Errata RHSA-2024:0288 0 None None None 2024-01-24 06:05:25 UTC
Red Hat Product Errata RHSA-2024:0489 0 None None None 2024-01-31 16:37:32 UTC
Red Hat Product Errata RHSA-2024:0642 0 None None None 2024-02-07 17:36:42 UTC
Red Hat Product Errata RHSA-2024:0741 0 None None None 2024-02-14 06:34:39 UTC
Red Hat Product Errata RHSA-2024:0766 0 None None None 2024-02-28 08:11:08 UTC
Red Hat Product Errata RHSA-2024:1328 0 None None None 2024-03-14 14:48:40 UTC
Red Hat Product Errata RHSA-2024:1449 0 None None None 2024-03-27 11:18:46 UTC
Red Hat Product Errata RHSA-2024:1458 0 None None None 2024-03-27 00:25:50 UTC
Red Hat Product Errata RHSA-2024:1812 0 None None None 2024-04-15 05:44:44 UTC
Red Hat Product Errata RHSA-2024:1887 0 None None None 2024-04-25 15:50:53 UTC
Red Hat Product Errata RHSA-2024:1891 0 None None None 2024-04-26 12:38:39 UTC
Red Hat Product Errata RHSA-2024:2773 0 None None None 2024-05-15 18:43:57 UTC
Red Hat Product Errata RHSA-2024:2865 0 None None None 2024-05-21 09:37:55 UTC
Red Hat Product Errata RHSA-2024:4591 0 None None None 2024-07-17 13:11:33 UTC
Red Hat Product Errata RHSA-2024:5433 0 None None None 2024-08-22 11:41:42 UTC
Red Hat Product Errata RHSA-2024:6236 0 None None None 2024-09-03 18:24:35 UTC
Red Hat Product Errata RHSA-2024:6406 0 None None None 2024-09-11 18:34:11 UTC
Red Hat Product Errata RHSA-2024:6409 0 None None None 2024-09-11 13:41:58 UTC
Red Hat Product Errata RHSA-2024:6632 0 None None None 2024-09-17 23:59:25 UTC
Red Hat Product Errata RHSA-2024:6637 0 None None None 2024-09-18 16:27:41 UTC
Red Hat Product Errata RHSA-2024:6811 0 None None None 2024-09-25 01:07:33 UTC
Red Hat Product Errata RHSA-2024:7184 0 None None None 2024-10-03 11:01:30 UTC
Red Hat Product Errata RHSA-2024:8235 0 None None None 2024-10-23 13:15:14 UTC
Red Hat Product Errata RHSA-2025:0029 0 None None None 2025-01-09 18:50:52 UTC

Description Mauro Matteo Cascella 2023-11-23 12:06:07 UTC 
OpenTelemetry-Go Contrib is a collection of third-party packages for OpenTelemetry-Go. Prior to version 0.46.0, the grpc Unary Server Interceptor out of the box adds labels `net.peer.sock.addr` and `net.peer.sock.port` that have unbound cardinality. It leads to the server's potential memory exhaustion when many malicious requests are sent. An attacker can easily flood the peer address and port for requests. Version 0.46.0 contains a fix for this issue. As a workaround to stop being affected, a view removing the attributes can be used. The other possibility is to disable grpc metrics instrumentation by passing `otelgrpc.WithMeterProvider` option with `noop.NewMeterProvider`.

GitHub Security Advisory:
https://github.com/open-telemetry/opentelemetry-go-contrib/security/advisories/GHSA-8pgv-569h-w5rw

Upstream PR & commit:
https://github.com/open-telemetry/opentelemetry-go-contrib/pull/4322
https://github.com/open-telemetry/opentelemetry-go-contrib/commit/b44dfc9092b157625a5815cb437583cee663333b
Comment 1 Mauro Matteo Cascella 2023-11-23 14:38:45 UTC 
Created containerd tracking bugs for this issue:

Affects: fedora-all [bug 2251221]


Created cri-o tracking bugs for this issue:

Affects: fedora-all [bug 2251223]


Created cri-o:1.24/cri-o tracking bugs for this issue:

Affects: fedora-all [bug 2251224]


Created cri-o:1.25/cri-o tracking bugs for this issue:

Affects: fedora-all [bug 2251225]


Created cri-o:1.26/cri-o tracking bugs for this issue:

Affects: fedora-all [bug 2251226]


Created cri-o:1.26/cri-tools tracking bugs for this issue:

Affects: fedora-all [bug 2251227]


Created cri-o:1.27/cri-o tracking bugs for this issue:

Affects: fedora-all [bug 2251228]


Created cri-o:1.27/cri-tools tracking bugs for this issue:

Affects: fedora-all [bug 2251229]


Created etcd tracking bugs for this issue:

Affects: fedora-all [bug 2251230]


Created golang-github-moby-buildkit tracking bugs for this issue:

Affects: fedora-all [bug 2251231]


Created golang-k8s-apiextensions-apiserver tracking bugs for this issue:

Affects: fedora-all [bug 2251232]


Created golang-k8s-kube-aggregator tracking bugs for this issue:

Affects: fedora-all [bug 2251233]


Created golang-k8s-pod-security-admission tracking bugs for this issue:

Affects: fedora-all [bug 2251234]


Created golang-k8s-sample-apiserver tracking bugs for this issue:

Affects: fedora-all [bug 2251235]


Created grafana tracking bugs for this issue:

Affects: fedora-all [bug 2251236]
Comment 6 errata-xmlrpc 2023-12-12 09:36:36 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.14

Via RHSA-2023:7681 https://access.redhat.com/errata/RHSA-2023:7681
Comment 7 Mauro Matteo Cascella 2023-12-12 09:55:18 UTC 
Created cri-o:1.23/cri-o tracking bugs for this issue:

Affects: fedora-all [bug 2254146]


Created golang-opentelemetry-contrib tracking bugs for this issue:

Affects: fedora-all [bug 2254147]
Comment 10 errata-xmlrpc 2024-01-03 20:04:40 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.14

Via RHSA-2023:7831 https://access.redhat.com/errata/RHSA-2023:7831
Comment 11 errata-xmlrpc 2024-01-17 10:44:13 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.14

Via RHSA-2024:0204 https://access.redhat.com/errata/RHSA-2024:0204
Comment 12 errata-xmlrpc 2024-01-17 17:43:26 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.14

Via RHSA-2024:0207 https://access.redhat.com/errata/RHSA-2024:0207
Comment 15 errata-xmlrpc 2024-01-24 06:05:22 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.13

Via RHSA-2024:0288 https://access.redhat.com/errata/RHSA-2024:0288
Comment 17 errata-xmlrpc 2024-01-31 16:37:30 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.12

Via RHSA-2024:0489 https://access.redhat.com/errata/RHSA-2024:0489
Comment 18 errata-xmlrpc 2024-02-07 17:36:40 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.14

Via RHSA-2024:0642 https://access.redhat.com/errata/RHSA-2024:0642
Comment 20 errata-xmlrpc 2024-02-14 06:34:37 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.13

Via RHSA-2024:0741 https://access.redhat.com/errata/RHSA-2024:0741
Comment 26 errata-xmlrpc 2024-02-27 19:47:50 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.15

Via RHSA-2023:7197 https://access.redhat.com/errata/RHSA-2023:7197
Comment 38 errata-xmlrpc 2024-02-27 20:49:50 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.15

Via RHSA-2023:7198 https://access.redhat.com/errata/RHSA-2023:7198
Comment 42 errata-xmlrpc 2024-02-27 22:28:25 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.15

Via RHSA-2023:7201 https://access.redhat.com/errata/RHSA-2023:7201
Comment 44 errata-xmlrpc 2024-02-28 08:11:05 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.15

Via RHSA-2024:0766 https://access.redhat.com/errata/RHSA-2024:0766
Comment 45 errata-xmlrpc 2024-03-14 14:48:37 UTC 
This issue has been addressed in the following products:

  Red Hat Advanced Cluster Management for Kubernetes 2.9 for RHEL 8

Via RHSA-2024:1328 https://access.redhat.com/errata/RHSA-2024:1328
Comment 46 errata-xmlrpc 2024-03-27 00:25:48 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.14

Via RHSA-2024:1458 https://access.redhat.com/errata/RHSA-2024:1458
Comment 47 errata-xmlrpc 2024-03-27 11:18:44 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.15

Via RHSA-2024:1449 https://access.redhat.com/errata/RHSA-2024:1449
Comment 48 errata-xmlrpc 2024-04-15 05:44:42 UTC 
This issue has been addressed in the following products:

  OpenShift Custom Metrics Autoscaler 2

Via RHSA-2024:1812 https://access.redhat.com/errata/RHSA-2024:1812
Comment 49 errata-xmlrpc 2024-04-25 15:50:48 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.15

Via RHSA-2024:1887 https://access.redhat.com/errata/RHSA-2024:1887
Comment 50 errata-xmlrpc 2024-04-26 12:38:36 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.14

Via RHSA-2024:1891 https://access.redhat.com/errata/RHSA-2024:1891
Comment 53 errata-xmlrpc 2024-05-15 18:43:53 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.15

Via RHSA-2024:2773 https://access.redhat.com/errata/RHSA-2024:2773
Comment 55 errata-xmlrpc 2024-05-21 09:37:49 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.15

Via RHSA-2024:2865 https://access.redhat.com/errata/RHSA-2024:2865
Comment 58 errata-xmlrpc 2024-06-27 11:23:44 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.16

Via RHSA-2024:0041 https://access.redhat.com/errata/RHSA-2024:0041
Comment 60 errata-xmlrpc 2024-07-17 13:11:28 UTC 
This issue has been addressed in the following products:

  RHODF-4.16-RHEL-9

Via RHSA-2024:4591 https://access.redhat.com/errata/RHSA-2024:4591
Comment 61 errata-xmlrpc 2024-08-22 11:41:37 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.14

Via RHSA-2024:5433 https://access.redhat.com/errata/RHSA-2024:5433
Comment 62 errata-xmlrpc 2024-09-03 18:24:30 UTC 
This issue has been addressed in the following products:

  Red Hat Advanced Cluster Management for Kubernetes 2.10 for RHEL 9

Via RHSA-2024:6236 https://access.redhat.com/errata/RHSA-2024:6236
Comment 63 errata-xmlrpc 2024-09-11 13:41:53 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.15

Via RHSA-2024:6409 https://access.redhat.com/errata/RHSA-2024:6409
Comment 64 errata-xmlrpc 2024-09-11 18:34:06 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.14

Via RHSA-2024:6406 https://access.redhat.com/errata/RHSA-2024:6406
Comment 65 errata-xmlrpc 2024-09-17 23:59:20 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.16

Via RHSA-2024:6632 https://access.redhat.com/errata/RHSA-2024:6632
Comment 66 errata-xmlrpc 2024-09-18 16:27:36 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.15

Via RHSA-2024:6637 https://access.redhat.com/errata/RHSA-2024:6637
Comment 67 errata-xmlrpc 2024-09-25 01:07:28 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.13

Via RHSA-2024:6811 https://access.redhat.com/errata/RHSA-2024:6811
Comment 68 errata-xmlrpc 2024-10-03 11:01:26 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.14

Via RHSA-2024:7184 https://access.redhat.com/errata/RHSA-2024:7184
Comment 69 errata-xmlrpc 2024-10-23 13:15:09 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.14

Via RHSA-2024:8235 https://access.redhat.com/errata/RHSA-2024:8235
Comment 70 errata-xmlrpc 2025-01-09 18:50:47 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.14

Via RHSA-2025:0029 https://access.redhat.com/errata/RHSA-2025:0029
Note You need to log in before you can comment on or make changes to this bug.