CVE-2023-45142

Summary

CVE-2023-45142 affects OpenTelemetry-Go Contrib, a collection of third-party packages for OpenTelemetry-Go. A handler wrapper in the library adds labels for `http.user_agent` and `http.method` with unbound cardinality, leading to potential memory exhaustion on servers when dealing with numerous malicious requests. An attacker can easily manipulate User-Agent or HTTP method for requests to be random and long. The vulnerability arises when a program uses `otelhttp.NewHandler` wrapper and does not filter unknown HTTP methods or User-agents on the CDN, LB, or previous middleware levels. The issue was addressed in version 0.44.0, which restricts collected attribute values for `http.request.method` to a set of well-known values, and removes other high cardinality attributes. As a workaround, `otelhttp.WithFilter()` can be used, but it requires careful manual configuration to avoid logging certain requests entirely. The library should by default mark non-standard HTTP methods and User-agents with the label `unknown` to indicate that such requests were made but do not increase cardinality. Alternatively, the library API should allow users to enable the current behavior.

Prevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.