CVE-2023-43810

Name of the Vulnerable Software and Affected Versions OpenTelemetry versions prior to 0.41b0

Description OpenTelemetry is a vendor-neutral open-source Observability framework for instrumenting, generating, collecting, and exporting telemetry data. The autoinstrumentation feature adds the label http method that has unbound cardinality, leading to the server's potential memory exhaustion when many malicious requests are sent. An attacker can easily set the HTTP method for requests to be random and long. To be affected, a program must be instrumented for HTTP handlers and not filter any unknown HTTP methods on the level of CDN, LB, previous middleware, etc.

Recommendations For versions prior to 0.41b0, update to version 0.41b0 or later to resolve the issue. As a temporary workaround, consider configuring the program to filter unknown HTTP methods on the level of CDN, LB, or previous middleware to minimize the risk of exploitation. Additionally, consider setting an environment variable to mark non-standard HTTP methods with the label UNKNOWN to prevent increased cardinality.