Skip to content

DoS vulnerability for high cardinality metrics in otelhttp and otelbeego

High
Aneurysm9 published GHSA-5r5m-65gx-7vrh Feb 8, 2023

Package

gomod go.opentelemetry.io/contrib/instrumentation/github.com/astaxie/beego/otelbeego (Go)

Affected versions

v0.38.0

Patched versions

v0.39.0
gomod go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp (Go)
v0.38.0
v0.39.0

Description

Impact

The v0.38.0 release of go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp uses the httpconv.ServerRequest function to annotate metric measurements for the http.server.request_content_length, http.server.response_content_length, and http.server.duration instruments.

The ServerRequest function sets the http.target attribute value to be the whole request URI (including the query string)1. The metric instruments do not "forget" previous measurement attributes when cumulative temporality is used, this means the cardinality of the measurements allocated is directly correlated with the unique URIs handled. If the query string is constantly random, this will result in a constant increase in memory allocation that can be used in a denial-of-service attack.

Pseudo-attack:

for infinite loop {
  r := generate_random_string()
  do_http_request("/some/path?random="+r)
}

Patches

  • go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp - v0.39.0
  • go.opentelemetry.io/contrib/instrumentation/github.com/astaxie/beego/otelbeego - v0.39.0

Footnotes

  1. https://github.com/open-telemetry/opentelemetry-go/blob/6cb5718eaaed5c408c3bf4ad1aecee5c20ccdaa9/semconv/internal/v2/http.go#L202-L208

Severity

High
7.5
/ 10

CVSS base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
None
User interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVE ID

CVE-2023-25151

Weaknesses

No CWEs