CVE-2023-47108
Denial-of-Service vulnerability in otelgrpc (Go)
What is CVE-2023-47108 About?
This denial-of-service vulnerability in the grpc Unary Server Interceptor of opentelemetry-go-contrib can lead to memory exhaustion. It occurs due to unbound cardinality in labels like `net.peer.sock.addr` and `net.peer.sock.port` when processing many requests. Exploitation can be achieved by sending numerous malicious requests.
Affected Software
- go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc
- >0.37.0, <0.46.0
- <0.46.0
Technical Details
The UnaryServerInterceptor within the opentelemetry-go-contrib/instrumentation/google.golang.org/grpc/otelgrpc library adds labels such as net.peer.sock.addr and net.peer.sock.port with unbound cardinality to metrics. When a program configures a metrics pipeline using this interceptor and does not filter client IP addresses and ports, an attacker can continuously send requests from many unique IP addresses and ports. Each unique combination causes the creation of a new histogram or metric series, leading to an uncontrolled increase in memory consumption and ultimately resulting in server memory exhaustion and denial-of-service.
What is the Impact of CVE-2023-47108?
Successful exploitation may allow attackers to cause memory exhaustion in the server application, leading to service unavailability, system instability, and denial of legitimate service for users.
What is the Exploitability of CVE-2023-47108?
Exploitation is of low complexity, as it primarily involves sending many requests from a diverse set of source IPs/ports. No specific authentication is required from the attacker if the gRPC endpoint is publicly accessible. This is a remote vulnerability, allowing an attacker to impact the system from outside. Prerequisites include the program actively configuring a metrics pipeline, using the UnaryServerInterceptor, and lacking client IP/port filtering. The likelihood of exploitation is high given the ease of sending numerous requests and the clear impact.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| bahe-msft | Link | PoC for CVE-2023-47108 |
What are the Available Fixes for CVE-2023-47108?
About the Fix from Resolved Security
Available Upgrade Options
- go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc
- <0.46.0 → Upgrade to 0.46.0
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/open-telemetry/opentelemetry-go-contrib/pull/4322
- https://github.com/open-telemetry/opentelemetry-go-contrib/commit/b44dfc9092b157625a5815cb437583cee663333b
- https://github.com/open-telemetry/opentelemetry-go-contrib/commit/b44dfc9092b157625a5815cb437583cee663333b
- https://osv.dev/vulnerability/GHSA-8pgv-569h-w5rw
- https://osv.dev/vulnerability/GO-2023-2331
- https://github.com/open-telemetry/opentelemetry-go-contrib/blob/9d4eb7e7706038b07d33f83f76afbe13f53d171d/instrumentation/google.golang.org/grpc/otelgrpc/interceptor.go#L327
- https://github.com/open-telemetry/opentelemetry-go-contrib/pull/4322
- https://nvd.nist.gov/vuln/detail/CVE-2023-47108
- https://github.com/open-telemetry/opentelemetry-go-contrib/commit/04c5dcbb5b35f14b4e6793b245919c72addbc7d0
- https://github.com/open-telemetry/opentelemetry-go-contrib
What are Similar Vulnerabilities to CVE-2023-47108?
Similar Vulnerabilities: GHSA-rcjv-mgp8-qvmr , GHSA-5r5m-65gx-7vrh , GHSA-cg3q-j54f-5p7p , CVE-2021-39147 , CVE-2022-23539
