Skip to content

Commit

Permalink
chore(deps): update module go.opentelemetry.io/contrib/instrumentatio…
Browse files Browse the repository at this point in the history 
…n/net/http/otelhttp to v0.44.0 [security] (main) (grafana#10917)

[![Mend
Renovate](https://app.renovatebot.com/images/banner.svg)](https://renovatebot.com)

This PR contains the following updates:

| Package | Type | Update | Change |
|---|---|---|---|
|
[go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp](https://togithub.com/open-telemetry/opentelemetry-go-contrib)
| indirect | minor | `v0.42.0` -> `v0.44.0` |

### GitHub Vulnerability Alerts

####
[CVE-2023-45142](https://togithub.com/open-telemetry/opentelemetry-go-contrib/security/advisories/GHSA-5r5m-65gx-7vrh)

### Summary

OpenTelemetry-Go Contrib has a [handler wrapper
`otelhttp`](https://togithub.com/open-telemetry/opentelemetry-go-contrib/blob/5f7e6ad5a49b45df45f61a1deb29d7f1158032df/instrumentation/net/http/otelhttp/handler.go#L63-L65)
that adds the following labels by deafult that have unbound cardinality:

- `http.user_agent`
- `http.method`

This leads to the server's potential memory exhaustion when many
malicious requests are sent to it.

### Details

HTTP header User-Agent or HTTP method for requests can be easily set by
an attacker to be random and long. The library internally uses
[httpconv.ServerRequest](https://togithub.com/open-telemetry/opentelemetry-go/blob/v1.12.0/semconv/internal/v2/http.go#L159)
that records every value for HTTP
[method](https://togithub.com/open-telemetry/opentelemetry-go/blob/38e1b499c3da3107694ad2660b3888eee9c8b896/semconv/internal/v2/http.go#L204)
and
[User-Agent](https://togithub.com/open-telemetry/opentelemetry-go/blob/38e1b499c3da3107694ad2660b3888eee9c8b896/semconv/internal/v2/http.go#L223).

[This pull
request](https://togithub.com/open-telemetry/opentelemetry-go-contrib/pull/4277)
released with version 0.44.0 dixes this vulnerability The values
collected for attribute `http.request.method` were changed to be
restricted to a set of well-known values and other high cardinality
attributes were removed.

### Impact

In order to be affected program has to use
[otelhttp.NewHandler](https://togithub.com/open-telemetry/opentelemetry-go-contrib/blob/5f7e6ad5a49b45df45f61a1deb29d7f1158032df/instrumentation/net/http/otelhttp/handler.go#L63-L65)
wrapper and does not filter any unknown HTTP methods or User agents on
the level of CDN, LB, previous middleware, etc.

### Others

This vulnerability is similar but different from these known
vulnerabilities:
-
GHSA-5r5m-65gx-7vrh
([open-telemetry/opentelemetry-go-contrib](https://togithub.com/open-telemetry/opentelemetry-go-contrib))
- GHSA-cg3q-j54f-5p7p
([prometheus/client_golang](https://togithub.com/prometheus/client_golang))

### Workaround for affected versions

As a workaround,
[otelhttp.WithFilter()](https://pkg.go.dev/go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp/filters)
can be used instead, but it requires manual careful configuration to not
log certain requests entirely.

---

### Memory exhaustion in
github.com/open-telemetry/opentelemetry-go-contrib
[CVE-2023-45142](https://nvd.nist.gov/vuln/detail/CVE-2023-45142) /
[GHSA-rcjv-mgp8-qvmr](https://togithub.com/advisories/GHSA-rcjv-mgp8-qvmr)
/ [GO-2023-2113](https://pkg.go.dev/vuln/GO-2023-2113)

<details>
<summary>More information</summary>

#### Details
Memory exhaustion in github.com/open-telemetry/opentelemetry-go-contrib

#### Severity
Unknown

#### References
-
[https://github.com/open-telemetry/opentelemetry-go-contrib/security/advisories/GHSA-rcjv-mgp8-qvmr](https://togithub.com/open-telemetry/opentelemetry-go-contrib/security/advisories/GHSA-rcjv-mgp8-qvmr)
-
[open-telemetry/opentelemetry-go-contrib#4277

This data is provided by
[OSV](https://osv.dev/vulnerability/GO-2023-2113) and the [Go
Vulnerability Database](https://togithub.com/golang/vulndb) ([CC-BY
4.0](https://togithub.com/golang/vulndb#license)).
</details>

---

### OpenTelemetry-Go Contrib vulnerable to denial of service in otelhttp
due to unbound cardinality metrics
[CVE-2023-45142](https://nvd.nist.gov/vuln/detail/CVE-2023-45142) /
[GHSA-rcjv-mgp8-qvmr](https://togithub.com/advisories/GHSA-rcjv-mgp8-qvmr)

<details>
<summary>More information</summary>

#### Details
##### Summary

OpenTelemetry-Go Contrib has a [handler wrapper
`otelhttp`](https://togithub.com/open-telemetry/opentelemetry-go-contrib/blob/5f7e6ad5a49b45df45f61a1deb29d7f1158032df/instrumentation/net/http/otelhttp/handler.go#L63-L65)
that adds the following labels by deafult that have unbound cardinality:

- `http.user_agent`
- `http.method`

This leads to the server's potential memory exhaustion when many
malicious requests are sent to it.

##### Details

HTTP header User-Agent or HTTP method for requests can be easily set by
an attacker to be random and long. The library internally uses
[httpconv.ServerRequest](https://togithub.com/open-telemetry/opentelemetry-go/blob/v1.12.0/semconv/internal/v2/http.go#L159)
that records every value for HTTP
[method](https://togithub.com/open-telemetry/opentelemetry-go/blob/38e1b499c3da3107694ad2660b3888eee9c8b896/semconv/internal/v2/http.go#L204)
and
[User-Agent](https://togithub.com/open-telemetry/opentelemetry-go/blob/38e1b499c3da3107694ad2660b3888eee9c8b896/semconv/internal/v2/http.go#L223).

[This pull
request](https://togithub.com/open-telemetry/opentelemetry-go-contrib/pull/4277)
released with version 0.44.0 dixes this vulnerability The values
collected for attribute `http.request.method` were changed to be
restricted to a set of well-known values and other high cardinality
attributes were removed.

##### Impact

In order to be affected program has to use
[otelhttp.NewHandler](https://togithub.com/open-telemetry/opentelemetry-go-contrib/blob/5f7e6ad5a49b45df45f61a1deb29d7f1158032df/instrumentation/net/http/otelhttp/handler.go#L63-L65)
wrapper and does not filter any unknown HTTP methods or User agents on
the level of CDN, LB, previous middleware, etc.

##### Others

This vulnerability is similar but different from these known
vulnerabilities:
-
GHSA-5r5m-65gx-7vrh
([open-telemetry/opentelemetry-go-contrib](https://togithub.com/open-telemetry/opentelemetry-go-contrib))
- GHSA-cg3q-j54f-5p7p
([prometheus/client_golang](https://togithub.com/prometheus/client_golang))

##### Workaround for affected versions

As a workaround,
[otelhttp.WithFilter()](https://pkg.go.dev/go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp/filters)
can be used instead, but it requires manual careful configuration to not
log certain requests entirely.

#### Severity
- CVSS Score: 7.5 / 10 (High)
- Vector String: `CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H`

#### References
-
[https://github.com/open-telemetry/opentelemetry-go-contrib/security/advisories/GHSA-5r5m-65gx-7vrh](https://togithub.com/open-telemetry/opentelemetry-go-contrib/security/advisories/GHSA-5r5m-65gx-7vrh)
-
[https://github.com/open-telemetry/opentelemetry-go-contrib/security/advisories/GHSA-rcjv-mgp8-qvmr](https://togithub.com/open-telemetry/opentelemetry-go-contrib/security/advisories/GHSA-rcjv-mgp8-qvmr)
-
[https://nvd.nist.gov/vuln/detail/CVE-2023-45142](https://nvd.nist.gov/vuln/detail/CVE-2023-45142)
-
[open-telemetry/opentelemetry-go-contrib#4277
-
[https://github.com/advisories/GHSA-cg3q-j54f-5p7p](https://togithub.com/advisories/GHSA-cg3q-j54f-5p7p)
-
[https://github.com/open-telemetry/opentelemetry-go-contrib](https://togithub.com/open-telemetry/opentelemetry-go-contrib)
-
[https://github.com/open-telemetry/opentelemetry-go-contrib/blob/5f7e6ad5a49b45df45f61a1deb29d7f1158032df/instrumentation/net/http/otelhttp/handler.go#L63-L65](https://togithub.com/open-telemetry/opentelemetry-go-contrib/blob/5f7e6ad5a49b45df45f61a1deb29d7f1158032df/instrumentation/net/http/otelhttp/handler.go#L63-L65)
-
[https://github.com/open-telemetry/opentelemetry-go-contrib/releases/tag/v1.19.0](https://togithub.com/open-telemetry/opentelemetry-go-contrib/releases/tag/v1.19.0)
-
[https://github.com/open-telemetry/opentelemetry-go/blob/38e1b499c3da3107694ad2660b3888eee9c8b896/semconv/internal/v2/http.go#L223](https://togithub.com/open-telemetry/opentelemetry-go/blob/38e1b499c3da3107694ad2660b3888eee9c8b896/semconv/internal/v2/http.go#L223)
-
[https://github.com/open-telemetry/opentelemetry-go/blob/v1.12.0/semconv/internal/v2/http.go#L159](https://togithub.com/open-telemetry/opentelemetry-go/blob/v1.12.0/semconv/internal/v2/http.go#L159)

This data is provided by
[OSV](https://osv.dev/vulnerability/GHSA-rcjv-mgp8-qvmr) and the [GitHub
Advisory Database](https://togithub.com/github/advisory-database)
([CC-BY
4.0](https://togithub.com/github/advisory-database/blob/main/LICENSE.md)).
</details>

---

### Configuration

📅 **Schedule**: Branch creation - "" (UTC), Automerge - At any time (no
schedule defined).

🚦 **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.

---

- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box

---

This PR has been generated by [Mend
Renovate](https://www.mend.io/free-developer-tools/renovate/). View
repository job log
[here](https://developer.mend.io/github/grafana/loki).

<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNy4xOS4yIiwidXBkYXRlZEluVmVyIjoiMzcuMTkuMiIsInRhcmdldEJyYW5jaCI6Im1haW4ifQ==-->

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
  • Loading branch information
@renovate @rhnasc
renovate[bot] authored and rhnasc committed Apr 12, 2024
1 parent 52121db commit 1e01c60
Show file tree
Hide file tree
Showing 29 changed files with 1,148 additions and 748 deletions.
8 changes: 4 additions & 4 deletions go.mod
View file
Expand Up @@ -302,10 +302,10 @@ require (
go.opencensus.io v0.24.0 // indirect
go.opentelemetry.io/collector/pdata v1.0.0-rcv0014 // indirect
go.opentelemetry.io/collector/semconv v0.81.0 // indirect
go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.42.0 // indirect
go.opentelemetry.io/otel v1.16.0 // indirect
go.opentelemetry.io/otel/metric v1.16.0 // indirect
go.opentelemetry.io/otel/trace v1.16.0 // indirect
go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.44.0 // indirect
go.opentelemetry.io/otel v1.18.0 // indirect
go.opentelemetry.io/otel/metric v1.18.0 // indirect
go.opentelemetry.io/otel/trace v1.18.0 // indirect
go.uber.org/multierr v1.11.0 // indirect
go.uber.org/zap v1.21.0 // indirect
golang.org/x/mod v0.12.0 // indirect
Expand Down
16 changes: 8 additions & 8 deletions go.sum
View file
Expand Up @@ -1388,14 +1388,14 @@ go.opentelemetry.io/collector/pdata v1.0.0-rcv0014 h1:iT5qH0NLmkGeIdDtnBogYDx7L5
go.opentelemetry.io/collector/pdata v1.0.0-rcv0014/go.mod h1:BRvDrx43kiSoUx3mr7SoA7h9B8+OY99mUK+CZSQFWW4=
go.opentelemetry.io/collector/semconv v0.81.0 h1:lCYNNo3powDvFIaTPP2jDKIrBiV1T92NK4QgL/aHYXw=
go.opentelemetry.io/collector/semconv v0.81.0/go.mod h1:TlYPtzvsXyHOgr5eATi43qEMqwSmIziivJB2uctKswo=
go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.42.0 h1:pginetY7+onl4qN1vl0xW/V/v6OBZ0vVdH+esuJgvmM=
go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.42.0/go.mod h1:XiYsayHc36K3EByOO6nbAXnAWbrUxdjUROCEeeROOH8=
go.opentelemetry.io/otel v1.16.0 h1:Z7GVAX/UkAXPKsy94IU+i6thsQS4nb7LviLpnaNeW8s=
go.opentelemetry.io/otel v1.16.0/go.mod h1:vl0h9NUa1D5s1nv3A5vZOYWn8av4K8Ml6JDeHrT/bx4=
go.opentelemetry.io/otel/metric v1.16.0 h1:RbrpwVG1Hfv85LgnZ7+txXioPDoh6EdbZHo26Q3hqOo=
go.opentelemetry.io/otel/metric v1.16.0/go.mod h1:QE47cpOmkwipPiefDwo2wDzwJrlfxxNYodqc4xnGCo4=
go.opentelemetry.io/otel/trace v1.16.0 h1:8JRpaObFoW0pxuVPapkgH8UhHQj+bJW8jJsCZEu5MQs=
go.opentelemetry.io/otel/trace v1.16.0/go.mod h1:Yt9vYq1SdNz3xdjZZK7wcXv1qv2pwLkqr2QVwea0ef0=
go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.44.0 h1:KfYpVmrjI7JuToy5k8XV3nkapjWx48k4E4JOtVstzQI=
go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.44.0/go.mod h1:SeQhzAEccGVZVEy7aH87Nh0km+utSpo1pTv6eMMop48=
go.opentelemetry.io/otel v1.18.0 h1:TgVozPGZ01nHyDZxK5WGPFB9QexeTMXEH7+tIClWfzs=
go.opentelemetry.io/otel v1.18.0/go.mod h1:9lWqYO0Db579XzVuCKFNPDl4s73Voa+zEck3wHaAYQI=
go.opentelemetry.io/otel/metric v1.18.0 h1:JwVzw94UYmbx3ej++CwLUQZxEODDj/pOuTCvzhtRrSQ=
go.opentelemetry.io/otel/metric v1.18.0/go.mod h1:nNSpsVDjWGfb7chbRLUNW+PBNdcSTHD4Uu5pfFMOI0k=
go.opentelemetry.io/otel/trace v1.18.0 h1:NY+czwbHbmndxojTEKiSMHkG2ClNH2PwmcHrdo0JY10=
go.opentelemetry.io/otel/trace v1.18.0/go.mod h1:T2+SGJGuYZY3bjj5rgh/hN7KIrlpWC5nS8Mjvzckz+0=
go.opentelemetry.io/proto/otlp v0.7.0/go.mod h1:PqfVotwruBrMGOCsRd/89rSnXhoiJIqeYNgFYFoEGnI=
go.starlark.net v0.0.0-20200901195727-6e684ef5eeee/go.mod h1:f0znQkUKRrkk36XxWbGjMqQM8wGv/xHBVE2qc3B5oFU=
go.uber.org/atomic v1.3.2/go.mod h1:gD2HeocX3+yG+ygLZcrzQJaqmWj9AIm7n08wl/qW/PE=
Expand Down
63 changes: 37 additions & 26 deletions vendor/go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp/handler.go
View file

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

21 changes: 21 additions & 0 deletions ...go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp/internal/semconvutil/gen.go
View file

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

0 comments on commit 1e01c60

Please sign in to comment.