OpenTelemetry Observability Framework Vulnerability Allows Memory Exhaustion Attacks

CVECVE-2023-43810
CVSScvssV3_1: 7.5
SourceCVE-2023-43810

OpenTelemetry is an open source observability framework used by many companies to instrument applications and collect telemetry data like traces and metrics. A vulnerability was discovered in earlier versions that could allow attackers to exhaust server memory.

The issue occurred because the HTTP method added as a label had unlimited cardinality. A malicious actor could send requests with random long HTTP methods set, causing memory usage to grow rapidly on the targeted server. Since the methods were not filtered, this could overwhelm systems with little effort.

Luckily this has now been patched in OpenTelemetry version 0.41b0. However, if you use OpenTelemetry to monitor your applications, it’s a good idea to upgrade to the latest version to ensure this vulnerability no longer exists. You should also consider filtering HTTP methods at other layers like load balancers or CDNs to add an additional layer of protection.

By keeping an eye on security advisories for tools you rely on and upgrading when issues are found, you can help prevent memory exhaustion and other attacks. Regular monitoring of memory usage can also help detect abnormal growth early before it impacts availability. Staying on top of patches is key to maintaining the security of observability systems.

References