SB2023121825 - Denial of service in OpenTelemetry otelgrpc
Published: December 18, 2023
Security Bulletin ID
SB2023121825
Severity
Medium
Patch available
YES
Number of vulnerabilities
1
Exploitation vector
Remote access
Highest impact
Denial of service
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 1 security vulnerability.
1) Resource exhaustion (CVE-ID: CVE-2023-47108)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to grpc Unary Server Interceptor does not properly control consumption of internal resources when processing multiple requests. A remote attacker can trigger resource exhaustion and perform a denial of service (DoS) attack.
Remediation
Install update from vendor's website.
References
- https://github.com/open-telemetry/opentelemetry-go-contrib/security/advisories/GHSA-8pgv-569h-w5rw
- https://github.com/open-telemetry/opentelemetry-go-contrib/pull/4322
- https://github.com/open-telemetry/opentelemetry-go-contrib/commit/b44dfc9092b157625a5815cb437583cee663333b
- https://github.com/open-telemetry/opentelemetry-go-contrib/blob/9d4eb7e7706038b07d33f83f76afbe13f53d171d/instrumentation/google.golang.org/grpc/otelgrpc/interceptor.go#L327
- https://github.com/open-telemetry/opentelemetry-go-contrib/blob/instrumentation/google.golang.org/grpc/otelgrpc/v0.45.0/instrumentation/google.golang.org/grpc/otelgrpc/config.go#L138
- https://pkg.go.dev/go.opentelemetry.io/otel/metric/noop#NewMeterProvider