Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix CVE-2023-47108 in go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.42.0 #741

Closed
2 of 4 tasks
jgu17 opened this issue May 17, 2024 · 1 comment · Fixed by #742
Closed
2 of 4 tasks

Fix CVE-2023-47108 in go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.42.0 #741

jgu17 opened this issue May 17, 2024 · 1 comment · Fixed by #742
Assignees
@jgu17
Labels
kind/bug Categorizes issue or PR as related to a bug.

Comments

@jgu17
Copy link
Contributor

jgu17 commented May 17, 2024

Area

  • Scheduler
  • Controller
  • Helm Chart
  • Documents

Other components

No response

What happened?

The grpc Unary Server Interceptor opentelemetry-go-contrib/instrumentation/google.golang.org/grpc/otelgrpc/interceptor.go

// UnaryServerInterceptor returns a grpc.UnaryServerInterceptor suitable
// for use in a grpc.NewServer call.
func UnaryServerInterceptor(opts ...Option) grpc.UnaryServerInterceptor {
out of the box adds labels

net.peer.sock.addr
net.peer.sock.port
that have unbound cardinality. It leads to the server's potential memory exhaustion when many malicious requests are sent.

What did you expect to happen?

Upgrade go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc from v0.42.0 to 0.46.0 to fix the vulnerability.

How can we reproduce it (as minimally and precisely as possible)?

In order to be affected, the program has to configure a metrics pipeline, use UnaryServerInterceptor, and does not filter any client IP address and ports via middleware or proxies, etc.

Anything else we need to know?

No response

Kubernetes version

$ kubectl version
# paste output here

Scheduler Plugins version

0.28.9
@jgu17 jgu17 added the kind/bug Categorizes issue or PR as related to a bug. label May 17, 2024
@jgu17
Copy link
Contributor Author

jgu17 commented May 17, 2024

/assign

@jgu17 jgu17 mentioned this issue May 17, 2024
Merged
@jgu17 jgu17 mentioned this issue May 21, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@jgu17 jgu17

Labels
kind/bug Categorizes issue or PR as related to a bug.
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Fix CVE-2023-47108 in go.opentelemetry.io jgu17/scheduler-plugins
1 participant
@jgu17