Uncontrolled Resource Consumption
CVE-2023-43810
Summary
OpenTelemetry, also known as OTel for short, is a vendor-neutral open-source observation framework for instrumenting, generating, collecting, and exporting telemetry data such as traces, metrics, logs. Autoinstrumentation out of the box adds the label `http_method`, which has unbound cardinality. It leads to the server's potential memory exhaustion when many malicious requests are sent. The HTTP method for requests can be easily set by an attacker to be random and long. In order to be affected, the program has to be instrumented for HTTP handlers and does not filter any unknown HTTP methods at the level of CDN, LB, previous middleware, etc. This vulnerability affects opentelemetry-instrumentation-wsgi package versions prior to 0.41b0.
- LOW
- NETWORK
- NONE
- UNCHANGED
- NONE
- NONE
- NONE
- HIGH
CWE-400 - Uncontrolled resource consumption
An uncontrolled resource allocation attack (also known as resource exhaustion attack) triggers unauthorized overconsumption of the limited resources in an application, such as memory, file system storage, database connection pool entries, and CPU. This may lead to denial of service for valid users and degradation of the application's functionality as well as that of the host operating system.
References
Advisory Timeline
- Published
