CVE-2023-47108

10.11.2023, 19:15

OpenTelemetry-Go Contrib is a collection of third-party packages for OpenTelemetry-Go. Starting in version 0.37.0 and prior to version 0.46.0, the grpc Unary Server Interceptor out of the box adds labels `net.peer.sock.addr` and `net.peer.sock.port` that have unbound cardinality. It leads to the server's potential memory exhaustion when many malicious requests are sent. An attacker can easily flood the peer address and port for requests. Version 0.46.0 contains a fix for this issue. As a workaround to stop being affected, a view removing the attributes can be used. The other possibility is to disable grpc metrics instrumentation by passing `otelgrpc.WithMeterProvider` option with `noop.NewMeterProvider`.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	7.5 HIGH	NETWORK	LOW	NONE	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Base Score

CVSS 3.x

EPSS Score

Percentile: 89%

Affected Products (NVD)

Vendor	Product	Version
opentelemetry	opentelemetry	𝑥 < 0.46.0

𝑥

= Vulnerable software versions

Ubuntu Releases

Ubuntu Product

Codename

golang-opentelemetry-contrib

focal	dne
jammy	dne
mantic	dne
noble	dne
oracular	needs-triage

openSUSE / SLES Releases

openSUSE Product

Release

containerd

suse enterprise desktop 15 SP7	1.7.21-150000.117.1 fixed
suse enterprise sap 15 SP5	1.7.21-150000.117.1 fixed
suse enterprise sap 15 SP6	1.7.21-150000.117.1 fixed
suse enterprise sap 15 SP7	1.7.21-150000.117.1 fixed
suse enterprise server 15 SP2	1.7.21-150000.117.1 fixed
suse enterprise server 15 SP3	1.7.21-150000.117.1 fixed
suse enterprise server 15 SP4	1.7.21-150000.117.1 fixed
suse enterprise server 15 SP5	1.7.21-150000.117.1 fixed
suse enterprise server 15 SP6	1.7.21-150000.117.1 fixed
suse enterprise server 15 SP7	1.7.21-150000.117.1 fixed

containerd-ctr

suse enterprise sap 15 SP5	1.7.21-150000.117.1 fixed
suse enterprise sap 15 SP6	1.7.21-150000.117.1 fixed
suse enterprise sap 15 SP7	1.7.21-150000.117.1 fixed
suse enterprise server 15 SP2	1.7.21-150000.117.1 fixed
suse enterprise server 15 SP3	1.7.21-150000.117.1 fixed
suse enterprise server 15 SP4	1.7.21-150000.117.1 fixed
suse enterprise server 15 SP5	1.7.21-150000.117.1 fixed
suse enterprise server 15 SP6	1.7.21-150000.117.1 fixed
suse enterprise server 15 SP7	1.7.21-150000.117.1 fixed

containerd-devel

suse enterprise sap 15 SP5	1.7.21-150000.117.1 fixed
suse enterprise sap 15 SP6	1.7.21-150000.117.1 fixed
suse enterprise sap 15 SP7	1.7.21-150000.117.1 fixed
suse enterprise server 15 SP4	1.7.21-150000.117.1 fixed
suse enterprise server 15 SP5	1.7.21-150000.117.1 fixed
suse enterprise server 15 SP6	1.7.21-150000.117.1 fixed
suse enterprise server 15 SP7	1.7.21-150000.117.1 fixed

Common Weakness Enumeration

CWE-770 - Allocation of Resources Without Limits or Throttling
The software allocates a reusable resource or group of resources on behalf of an actor without imposing any restrictions on the size or number of resources that can be allocated, in violation of the intended security policy for that actor.

References

https://github.com/open-telemetry/opentelemetry-go-contrib/blob/9d4eb7e7706038b07d33f83f76afbe13f53d171d/instrumentation/google.golang.org/grpc/otelgrpc/interceptor.go#L327

https://github.com/open-telemetry/opentelemetry-go-contrib/blob/instrumentation/google.golang.org/grpc/otelgrpc/v0.45.0/instrumentation/google.golang.org/grpc/otelgrpc/config.go#L138

https://github.com/open-telemetry/opentelemetry-go-contrib/commit/04c5dcbb5b35f14b4e6793b245919c72addbc7d0

https://github.com/open-telemetry/opentelemetry-go-contrib/commit/b44dfc9092b157625a5815cb437583cee663333b

https://github.com/open-telemetry/opentelemetry-go-contrib/pull/4322