GMS-2023-2906: opentelemetry-instrumentation Denial of Service vulnerability due to unbound cardinality metrics
Summary
Autoinstrumentation out of the box adds the label http_method that has unbound cardinality. It leads to the server’s potential memory exhaustion when many malicious requests are sent.
Details
HTTP method for requests can be easily set by an attacker to be random and long.
PoC
Send many requests with long randomly generated HTTP methods and observe how memory consumption increases during it.
References
- github.com/advisories/GHSA-5rv5-6h4r-h22v
- github.com/open-telemetry/opentelemetry-python-contrib/commit/6007e0c013071e7f8b9612d3bc68aeb9d600d74e
- github.com/open-telemetry/opentelemetry-python-contrib/releases/tag/v0.41b0
- github.com/open-telemetry/opentelemetry-python-contrib/security/advisories/GHSA-5rv5-6h4r-h22v
Code Behaviors & Features
Detect and mitigate GMS-2023-2906 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →