CVE-2023-45142

Name of the Vulnerable Software and Affected Versions OpenTelemetry-Go Contrib versions prior to 0.44.0

Description The issue is related to a denial-of-service attack that can cause memory exhaustion when handling requests with non-standard HTTP methods or User-Agents. The library internally uses httpconv.ServerRequest that records every value for HTTP method and User-Agent. To be affected, a program must use the otelhttp.NewHandler wrapper and not filter any unknown HTTP methods or User agents on the level of CDN, LB, previous middleware, etc. The values collected for attribute http.request.method were changed to be restricted to a set of well-known values and other high cardinality attributes were removed in version 0.44.0.

Recommendations For versions prior to 0.44.0, as a workaround to stop being affected, otelhttp.WithFilter() can be used, but it requires manual careful configuration to not log certain requests entirely. It is recommended to upgrade to version 0.44.0 or later, where the values collected for attribute http.request.method were changed to be restricted to a set of well-known values and other high cardinality attributes were removed. Additionally, consider disabling HTTP metrics instrumentation by passing otelhttp.WithMeterProvider option with noop.NewMeterProvider.