Bug 1217070 (CVE-2023-47108)

Summary: VUL-0: CVE-2023-47108: TRACKERBUG: go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc: DoS vulnerability in otelgrpc (uncontrolled resource consumption) due to unbound cardinality metrics
Product: [Novell Products] SUSE Security Incidents Reporter: SMASH SMASH <smash_bz>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: NEW --- QA Contact: Security Team bot <security-team>
Severity: Major    
Priority: P3 - Medium CC: thomas.leroy
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/384593/
Whiteboard: CVSSv3.1:SUSE:CVE-2023-47108:7.5:(AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description SMASH SMASH 2023-11-13 09:21:59 UTC 
OpenTelemetry-Go Contrib is a collection of third-party packages for
OpenTelemetry-Go. Prior to version 0.46.0, the grpc Unary Server Interceptor out
of the box adds labels `net.peer.sock.addr` and `net.peer.sock.port` that have
unbound cardinality. It leads to the server's potential memory exhaustion when
many malicious requests are sent. An attacker can easily flood the peer address
and port for requests. Version 0.46.0 contains a fix for this issue. As a
workaround to stop being affected, a view removing the attributes can be used.
The other possibility is to disable grpc metrics instrumentation by passing
`otelgrpc.WithMeterProvider` option with `noop.NewMeterProvider`.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-47108
Comment 1 Thomas Leroy 2023-11-13 09:34:58 UTC 
The bug was introduced by this commit:
https://github.com/open-telemetry/opentelemetry-go-contrib/commit/04c5dcbb5b35f14b4e6793b245919c72addbc7d0

landing in go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc (Go mogule) in v0.37.0.

The following codestreams/packages contain an otelgrpc module with a version higher or equal:

- openSUSE:Factory/grafana,v0.37.0
- openSUSE:Factory/teleport,v0.38.0
- openSUSE:Factory/dagger,v0.40.0
- openSUSE:Factory/cilium-cli,v0.40.0