Programmer04

**Name of the Vulnerable Software and Affected Versions** OpenTelemetry versions prior to 0.41b0 **Description** OpenTelemetry is a vendor-neutral open-source Observability framework for instrumenting, generating, collecting, and exporting telemetry data. The autoinstrumentation feature adds the label `http method` that has unbound cardinality, leading to the server's potential memory exhaustion when many malicious requests are sent. An attacker can easily set the HTTP method for requests to be random and long. To be affected, a program must be instrumented for HTTP handlers and not filter any unknown HTTP methods on the level of CDN, LB, previous middleware, etc. **Recommendations** For versions prior to 0.41b0, update to version 0.41b0 or later to resolve the issue. As a temporary workaround, consider configuring the program to filter unknown HTTP methods on the level of CDN, LB, or previous middleware to minimize the risk of exploitation. Additionally, consider setting an environment variable to mark non-standard HTTP methods with the label `UNKNOWN` to prevent increased cardinality.

**Name of the Vulnerable Software and Affected Versions** OpenTelemetry-Go Contrib versions prior to 0.44.0 **Description** The issue is related to a denial-of-service attack that can cause memory exhaustion when handling requests with non-standard HTTP methods or User-Agents. The library internally uses `httpconv.ServerRequest` that records every value for HTTP `method` and `User-Agent`. To be affected, a program must use the `otelhttp.NewHandler` wrapper and not filter any unknown HTTP methods or User agents on the level of CDN, LB, previous middleware, etc. The values collected for attribute `http.request.method` were changed to be restricted to a set of well-known values and other high cardinality attributes were removed in version 0.44.0. **Recommendations** For versions prior to 0.44.0, as a workaround to stop being affected, `otelhttp.WithFilter()` can be used, but it requires manual careful configuration to not log certain requests entirely. It is recommended to upgrade to version 0.44.0 or later, where the values collected for attribute `http.request.method` were changed to be restricted to a set of well-known values and other high cardinality attributes were removed. Additionally, consider disabling HTTP metrics instrumentation by passing `otelhttp.WithMeterProvider` option with `noop.NewMeterProvider`.