CVE-2023-47108 : Security Advisory and Response

A denial of service (DoS) vulnerability has been identified in otelgrpc due to uncontrolled resource consumption, leading to unbound cardinality metrics.

Understanding CVE-2023-47108

This vulnerability affects OpenTelemetry-Go Contrib versions before 0.46.0, specifically impacting the grpc Unary Server Interceptor.

What is CVE-2023-47108?

OpenTelemetry-Go Contrib, a collection of third-party packages for OpenTelemetry-Go, suffers from a DoS issue where unbound cardinality metrics can cause potential memory exhaustion in the server.

The Impact of CVE-2023-47108

The vulnerability allows an attacker to flood the peer address and port with malicious requests, potentially leading to server memory exhaustion.

Technical Details of CVE-2023-47108

This section provides a detailed overview of the vulnerability.

Vulnerability Description

Prior to version 0.46.0, the grpc Unary Server Interceptor in OpenTelemetry-Go Contrib adds labels with unbound cardinality, enabling the flooding of peer address and port.

Affected Systems and Versions

OpenTelemetry-Go Contrib versions before 0.46.0 are affected by this vulnerability.

Exploitation Mechanism

Attackers can exploit the vulnerability by sending numerous malicious requests to flood the peer address and port, causing potential memory exhaustion.

Mitigation and Prevention

Learn how to mitigate and prevent the impact of CVE-2023-47108.

Immediate Steps to Take

One immediate step is to upgrade to version 0.46.0, which contains a fix for the issue. Alternatively, removing the attributes causing unbound cardinality or disabling grpc metrics instrumentation can help prevent exploitation.

Long-Term Security Practices

Implement proper input validation, maintain up-to-date software versions, and monitor network traffic to detect and respond to potential attacks.

Patching and Updates

Regularly check for security updates from OpenTelemetry-Go Contrib and apply patches promptly to address known vulnerabilities.