otelhttp and otelbeego have DoS vulnerability for high cardinality metrics
High severity
GitHub Reviewed
Published
Feb 8, 2023
in
open-telemetry/opentelemetry-go-contrib
•
Updated Jun 13, 2023
Description
Published by the National Vulnerability Database
Feb 8, 2023
Published to the GitHub Advisory Database
Feb 8, 2023
Reviewed
Feb 8, 2023
Last updated
Jun 13, 2023
Impact
The v0.38.0 release of
go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp
uses thehttpconv.ServerRequest
function to annotate metric measurements for thehttp.server.request_content_length
,http.server.response_content_length
, andhttp.server.duration
instruments.The
ServerRequest
function sets thehttp.target
attribute value to be the whole request URI (including the query string)1. The metric instruments do not "forget" previous measurement attributes whencumulative
temporality is used, this means the cardinality of the measurements allocated is directly correlated with the unique URIs handled. If the query string is constantly random, this will result in a constant increase in memory allocation that can be used in a denial-of-service attack.Pseudo-attack:
Patches
go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp
- v0.39.0go.opentelemetry.io/contrib/instrumentation/github.com/astaxie/beego/otelbeego
- v0.39.0References
Footnotes
https://github.com/open-telemetry/opentelemetry-go/blob/6cb5718eaaed5c408c3bf4ad1aecee5c20ccdaa9/semconv/internal/v2/http.go#L202-L208 ↩