1217070 – (CVE-2023-47108) VUL-0: CVE-2023-47108: TRACKERBUG: go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc: DoS vulnerability in otelgrpc (uncontrolled resource consumption) due to unbound cardinality metrics

Bug 1217070 (CVE-2023-47108) - VUL-0: CVE-2023-47108: TRACKERBUG: go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc: DoS vulnerability in otelgrpc (uncontrolled resource consumption) due to unbound cardinality metrics

Summary: VUL-0: CVE-2023-47108: TRACKERBUG: go.opentelemetry.io/contrib/instrumentatio...

Status:	NEW

Alias:	CVE-2023-47108

Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents (show other bugs)
Version:	unspecified
Hardware:	Other Other

Priority:	P3 - Medium Severity: Major
Target Milestone:	---
Assignee:	Security Team bot
QA Contact:	Security Team bot

URL:	https://smash.suse.de/issue/384593/
Whiteboard:	CVSSv3.1:SUSE:CVE-2023-47108:7.5:(AV:...
Keywords:

Depends on:
Blocks:

Clone This Bug

Reported:	2023-11-13 09:21 UTC by SMASH SMASH
Modified:	2023-11-13 10:15 UTC (History)
CC List:	1 user (show)

See Also:
Found By:	Security Response Team
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description SMASH SMASH 2023-11-13 09:21:59 UTC

OpenTelemetry-Go Contrib is a collection of third-party packages for
OpenTelemetry-Go. Prior to version 0.46.0, the grpc Unary Server Interceptor out
of the box adds labels `net.peer.sock.addr` and `net.peer.sock.port` that have
unbound cardinality. It leads to the server's potential memory exhaustion when
many malicious requests are sent. An attacker can easily flood the peer address
and port for requests. Version 0.46.0 contains a fix for this issue. As a
workaround to stop being affected, a view removing the attributes can be used.
The other possibility is to disable grpc metrics instrumentation by passing
`otelgrpc.WithMeterProvider` option with `noop.NewMeterProvider`.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-47108

Comment 1 Thomas Leroy 2023-11-13 09:34:58 UTC

The bug was introduced by this commit:
https://github.com/open-telemetry/opentelemetry-go-contrib/commit/04c5dcbb5b35f14b4e6793b245919c72addbc7d0

landing in go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc (Go mogule) in v0.37.0.

The following codestreams/packages contain an otelgrpc module with a version higher or equal:

- openSUSE:Factory/grafana,v0.37.0
- openSUSE:Factory/teleport,v0.38.0
- openSUSE:Factory/dagger,v0.40.0
- openSUSE:Factory/cilium-cli,v0.40.0