7.5

CVSS Score

3.1

Basic Information

CVE ID

CVE-2023-45142

GHSA ID

GHSA-rcjv-mgp8-qvmr

EPSS Score

0.75486%

CWE

CWE-770

Published

10/16/2023

Updated

2/19/2024

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2023-45142

CVE-2023-45142:
OpenTelemetry-Go Contrib vulnerable to denial of service in otelhttp due to unbound cardinality metrics

Summary

This handler wrapper https://github.com/open-telemetry/opentelemetry-go-contrib/blob/5f7e6ad5a49b45df45f61a1deb29d7f1158032df/instrumentation/net/http/otelhttp/handler.go#L63-L65 out of the box adds labels

http.user_agent
http.method

that have unbound cardinality. It leads to the server's potential memory exhaustion when many malicious requests are sent to it.

Details

HTTP header User-Agent or HTTP method for requests can be easily set by an attacker to be random and long. The library internally uses httpconv.ServerRequest that records every value for HTTP method and User-Agent.

PoC

Send many requests with long randomly generated HTTP methods or/and User agents (e.g. a million) and observe how memory consumption increases during it.

Impact

In order to be affected, the program has to configure a metrics pipeline, use otelhttp.NewHandler wrapper, and does not filter any unknown HTTP methods or User agents on the level of CDN, LB, previous middleware, etc.

Others

It is similar to already reported vulnerabilities

https://github.com/open-telemetry/opentelemetry-go-contrib/security/advisories/GHSA-5r5m-65gx-7vrh (open-telemetry/opentelemetry-go-contrib)
https://github.com/advisories/GHSA-cg3q-j54f-5p7p (prometheus/client_golang)

Workaround for affected versions

As a workaround to stop being affected otelhttp.WithFilter() can be used, but it requires manual careful configuration to not log certain requests entirely.

For convenience and safe usage of this library, it should by default mark with the label unknown non-standard HTTP methods and User agents to show that such requests were made but do not increase cardinality. In case someone wants to stay with the current behavior, library API should allow to enable it.

The other possibility is to disable HTTP metrics instrumentation by passing otelhttp.WithMeterProvider option with noop.NewMeterProvider.

Solution provided by upgrading

In PR https://github.com/open-telemetry/opentelemetry-go-contrib/pull/4277, released with package version 0.44.0, the values collected for attribute http.request.method were changed to be restricted to a set of well-known values and other high cardinality attributes were removed.

References

https://github.com/open-telemetry/opentelemetry-go-contrib/pull/4277
https://github.com/open-telemetry/opentelemetry-go-contrib/releases/tag/v1.19.0

(GitHub Advisory)

7.5

CVSS Score

3.1

Basic Information

CVE ID

CVE-2023-45142

GHSA ID

GHSA-rcjv-mgp8-qvmr

EPSS Score

0.75486%

CWE

CWE-770

Published

10/16/2023

Updated

2/19/2024

KEV Status

Technology

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp	go	< 0.44.0	0.44.0
go.opentelemetry.io/contrib/instrumentation/github.com/emicklei/go-restful/otelrestful	go	< 0.44.0	0.44.0
go.opentelemetry.io/contrib/instrumentation/github.com/gin-gonic/gin/otelgin	go	< 0.44.0	0.44.0
go.opentelemetry.io/contrib/instrumentation/github.com/gorilla/mux/otelmux	go	< 0.44.0	0.44.0
go.opentelemetry.io/contrib/instrumentation/github.com/labstack/echo/otelecho	go	< 0.44.0	0.44.0
go.opentelemetry.io/contrib/instrumentation/gopkg.in/macaron.v1/otelmacaron	go	< 0.44.0	0.44.0
go.opentelemetry.io/contrib/instrumentation/net/http/httptrace/otelhttptrace	go	< 0.44.0	0.44.0

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability lies in the generation of metrics with unbound cardinality, specifically from 'http.method' and 'http.user_agent' attributes. The analysis focused on identifying functions that either generated these problematic attributes or consumed them for metrics recording prior to the patch.

The otelhttp.NewHandler function is identified as it's the entry point for using the vulnerable otelhttp middleware, as highlighted in the vulnerability description.
The otelhttp.(*middleware).serveHTTP function is identified as it's the core request handler in otelhttp that, before the patch, used semconvutil.HTTPServerRequest (which in turn calls (*httpConv).ServerRequest) to get attributes for metrics. The patch changed this to use a new, safer semconvutil.HTTPServerRequestMetrics.
The (*httpConv).ServerRequest function (present in internal/semconvutil/httpconv.go across multiple affected instrumentation packages) is identified as the generator of the high-cardinality attributes. The vulnerability description explicitly mentions httpconv.ServerRequest. The fix involved creating a new function (*httpConv).ServerRequestMetrics that omits problematic attributes (like http.user_agent) and sanitizes others (like http.method via methodMetric) for metric purposes. The calling handlers were then updated to use this new function for metrics.

The evidence is drawn from the vulnerability description and the changes in the provided commit information, particularly the introduction of ServerRequestMetrics and methodMetric functions, and the modification of serveHTTP to use the new metrics function. The functions listed are those that would be active in the runtime path when the vulnerability is triggered by processing HTTP requests and generating metrics from them.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Summ*ry T*is **n*l*r wr*pp*r *ttps://*it*u*.*om/op*n-t*l*m*try/op*nt*l*m*try-*o-*ontri*/*lo*/****************************************/instrum*nt*tion/n*t/*ttp/ot*l*ttp/**n*l*r.*o#L**-L** out o* t** *ox ***s l***ls - `*ttp.us*r_***nt` - `*ttp.m*

Reasoning

T** vuln*r**ility li*s in t** **n*r*tion o* m*tri*s wit* un*oun* **r*in*lity, sp**i*i**lly *rom '*ttp.m*t*o*' *n* '*ttp.us*r_***nt' *ttri*ut*s. T** *n*lysis *o*us** on i**nti*yin* *un*tions t**t *it**r **n*r*t** t**s* pro*l*m*ti* *ttri*ut*s or *onsum

7.5

Basic Information

Concerned about an active attack path?

CVE-2023-45142: OpenTelemetry-Go Contrib vulnerable to denial of service in otelhttp due to unbound cardinality metrics

Summary

Details

PoC

Impact

Others

Workaround for affected versions

Solution provided by upgrading

References

7.5

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

CVE-2023-45142:
OpenTelemetry-Go Contrib vulnerable to denial of service in otelhttp due to unbound cardinality metrics

Vulnerability Intelligence
Miggo AI