GHSA-5r5m-65gx-7vrh: otelhttp and otelbeego have DoS vulnerability for high cardinality metrics

Package

gomod go.opentelemetry.io/contrib/instrumentation/github.com/astaxie/beego/otelbeego (Go)

Affected versions

>= 0.38.0, < 0.39.0

Patched versions

0.39.0

gomod go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp (Go)

>= 0.38.0, < 0.39.0

0.39.0

Description

Impact

The v0.38.0 release of go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp uses the httpconv.ServerRequest function to annotate metric measurements for the http.server.request_content_length, http.server.response_content_length, and http.server.duration instruments.

The ServerRequest function sets the http.target attribute value to be the whole request URI (including the query string)1. The metric instruments do not “forget” previous measurement attributes when cumulative temporality is used, this means the cardinality of the measurements allocated is directly correlated with the unique URIs handled. If the query string is constantly random, this will result in a constant increase in memory allocation that can be used in a denial-of-service attack.

Pseudo-attack:

for infinite loop {
  r := generate_random_string()
  do_http_request("/some/path?random="+r)
}

Patches

• go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp - v0.39.0
• go.opentelemetry.io/contrib/instrumentation/github.com/astaxie/beego/otelbeego - v0.39.0

References

• GHSA-5r5m-65gx-7vrh
• https://nvd.nist.gov/vuln/detail/CVE-2023-25151
• https://github.com/open-telemetry/opentelemetry-go/blob/v1.12.0/semconv/internal/v2/http.go#L159

Footnotes

1. https://github.com/open-telemetry/opentelemetry-go/blob/6cb5718eaaed5c408c3bf4ad1aecee5c20ccdaa9/semconv/internal/v2/http.go#L202-L208 ↩

Last updated

Feb 8, 2023

Reviewed

Feb 8, 2023

Published to the GitHub Advisory Database

Feb 8, 2023

Published by the National Vulnerability Database

Feb 8, 2023

Aneurysm9 published to open-telemetry/opentelemetry-go-contrib

Feb 8, 2023