CVE-2023-47108Allocation of Resources Without Limits or Throttling in Contrib Instrumentation Google.golang.org Grpc Otelgrpc

CWE-770Allocation of Resources Without Limits or Throttling7 documents5 sources
Severity
7.5HIGHNVD
EPSS
4.3%
top 11.12%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
27
Go.opentelemetry.io Contrib Instrumentation Google.golang.org Grpc OtelgrpcOpentelemetryOpen-telemetry Opentelemetry-go-contrib+24 more
Timeline
PublishedNov 10
Latest updateJun 27

Description

OpenTelemetry-Go Contrib is a collection of third-party packages for OpenTelemetry-Go. Starting in version 0.37.0 and prior to version 0.46.0, the grpc Unary Server Interceptor out of the box adds labels `net.peer.sock.addr` and `net.peer.sock.port` that have unbound cardinality. It leads to the server's potential memory exhaustion when many malicious requests are sent. An attacker can easily flood the peer address and port for requests. Version 0.46.0 contains a fix for this issue. As a workaro

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 3.9 | Impact: 3.6

Affected Packages27 packages

CVEListV5open-telemetry/opentelemetry-go-contrib>= 0.37.0, < 0.46.0

Patches

Patch: github.comPatch: github.comPatch: github.com

🔴Vulnerability Details

4
OSV
Denial of service in go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc2024-06-27
GHSA
otelgrpc DoS vulnerability due to unbound cardinality metrics2023-11-12
OSV
otelgrpc DoS vulnerability due to unbound cardinality metrics2023-11-12
OSV
CVE-2023-47108: OpenTelemetry-Go Contrib is a collection of third-party packages for OpenTelemetry-Go2023-11-10

📋Vendor Advisories

2
Microsoft
DoS vulnerability in otelgrpc (uncontrolled resource consumption) due to unbound cardinality metrics2023-11-14
Red Hat
opentelemetry-go-contrib: DoS vulnerability in otelgrpc due to unbound cardinality metrics2023-11-10