GHSA-5r5m-65gx-7vrh

Suggest an improvement
Source
https://github.com/advisories/GHSA-5r5m-65gx-7vrh
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/02/GHSA-5r5m-65gx-7vrh/GHSA-5r5m-65gx-7vrh.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-5r5m-65gx-7vrh
Aliases
Related
Published
2023-02-08T22:32:16Z
Modified
2024-10-22T05:28:47.723813Z
Severity
  • 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
Summary
otelhttp and otelbeego have DoS vulnerability for high cardinality metrics
Details

Impact

The v0.38.0 release of go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp uses the httpconv.ServerRequest function to annotate metric measurements for the http.server.request_content_length, http.server.response_content_length, and http.server.duration instruments.

The ServerRequest function sets the http.target attribute value to be the whole request URI (including the query string)[^1]. The metric instruments do not "forget" previous measurement attributes when cumulative temporality is used, this means the cardinality of the measurements allocated is directly correlated with the unique URIs handled. If the query string is constantly random, this will result in a constant increase in memory allocation that can be used in a denial-of-service attack.

Pseudo-attack:

for infinite loop {
  r := generate_random_string()
  do_http_request("/some/path?random="+r)
}

Patches

  • go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp - v0.39.0
  • go.opentelemetry.io/contrib/instrumentation/github.com/astaxie/beego/otelbeego - v0.39.0
Database specific
{
    "nvd_published_at": "2023-02-08T20:15:00Z",
    "cwe_ids": [
        "CWE-400"
    ],
    "severity": "HIGH",
    "github_reviewed": true,
    "github_reviewed_at": "2023-02-08T22:32:16Z"
}
References

Affected packages

Go / go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp

Package

Name
go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp
View open source insights on deps.dev
Purl
pkg:golang/go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp

Affected ranges

Type
SEMVER
Events
Introduced
0.38.0
Fixed
0.39.0

Go / go.opentelemetry.io/contrib/instrumentation/github.com/astaxie/beego/otelbeego

Package

Name
go.opentelemetry.io/contrib/instrumentation/github.com/astaxie/beego/otelbeego
View open source insights on deps.dev
Purl
pkg:golang/go.opentelemetry.io/contrib/instrumentation/github.com/astaxie/beego/otelbeego

Affected ranges

Type
SEMVER
Events
Introduced
0.38.0
Fixed
0.39.0