Security
Headlines
HeadlinesLatestCVEs

Headline

GHSA-5r5m-65gx-7vrh: otelhttp and otelbeego have DoS vulnerability for high cardinality metrics

Impact

The v0.38.0 release of go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp uses the httpconv.ServerRequest function to annotate metric measurements for the http.server.request_content_length, http.server.response_content_length, and http.server.duration instruments.

The ServerRequest function sets the http.target attribute value to be the whole request URI (including the query string)[1]. The metric instruments do not “forget” previous measurement attributes when cumulative temporality is used, this means the cardinality of the measurements allocated is directly correlated with the unique URIs handled. If the query string is constantly random, this will result in a constant increase in memory allocation that can be used in a denial-of-service attack.

Pseudo-attack:

for infinite loop {
  r := generate_random_string()
  do_http_request("/some/path?random="+r)
}

Patches

  • go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp - v0.39.0
  • go.opentelemetry.io/contrib/instrumentation/github.com/astaxie/beego/otelbeego - v0.39.0

  1. https://github.com/open-telemetry/opentelemetry-go/blob/6cb5718eaaed5c408c3bf4ad1aecee5c20ccdaa9/semconv/internal/v2/http.go#L202-L208

ghsa
#vulnerability#dos#git

Package

gomod go.opentelemetry.io/contrib/instrumentation/github.com/astaxie/beego/otelbeego (Go)

Affected versions

>= 0.38.0, < 0.39.0

Patched versions

0.39.0

gomod go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp (Go)

>= 0.38.0, < 0.39.0

0.39.0

Description

Impact

The v0.38.0 release of go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp uses the httpconv.ServerRequest function to annotate metric measurements for the http.server.request_content_length, http.server.response_content_length, and http.server.duration instruments.

The ServerRequest function sets the http.target attribute value to be the whole request URI (including the query string)1. The metric instruments do not “forget” previous measurement attributes when cumulative temporality is used, this means the cardinality of the measurements allocated is directly correlated with the unique URIs handled. If the query string is constantly random, this will result in a constant increase in memory allocation that can be used in a denial-of-service attack.

Pseudo-attack:

for infinite loop {
  r := generate_random_string()
  do_http_request("/some/path?random="+r)
}

Patches

  • go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp - v0.39.0
  • go.opentelemetry.io/contrib/instrumentation/github.com/astaxie/beego/otelbeego - v0.39.0

References

  • GHSA-5r5m-65gx-7vrh
  • https://nvd.nist.gov/vuln/detail/CVE-2023-25151
  • https://github.com/open-telemetry/opentelemetry-go/blob/v1.12.0/semconv/internal/v2/http.go#L159

Footnotes

  1. https://github.com/open-telemetry/opentelemetry-go/blob/6cb5718eaaed5c408c3bf4ad1aecee5c20ccdaa9/semconv/internal/v2/http.go#L202-L208 ↩

Last updated

Feb 8, 2023

Reviewed

Feb 8, 2023

Published to the GitHub Advisory Database

Feb 8, 2023

Published by the National Vulnerability Database

Feb 8, 2023

Aneurysm9 published to open-telemetry/opentelemetry-go-contrib

Feb 8, 2023

Related news

CVE-2023-25151: opentelemetry-go/http.go at v1.12.0 · open-telemetry/opentelemetry-go

opentelemetry-go-contrib is a collection of extensions for OpenTelemetry-Go. The v0.38.0 release of `go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp` uses the `httpconv.ServerRequest` function to annotate metric measurements for the `http.server.request_content_length`, `http.server.response_content_length`, and `http.server.duration` instruments. The `ServerRequest` function sets the `http.target` attribute value to be the whole request URI (including the query string)[^1]. The metric instruments do not "forget" previous measurement attributes when `cumulative` temporality is used, this means the cardinality of the measurements allocated is directly correlated with the unique URIs handled. If the query string is constantly random, this will result in a constant increase in memory allocation that can be used in a denial-of-service attack. This issue has been addressed in version 0.39.0. Users are advised to upgrade. There are no known workarounds for this issue.