Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
chore(deps): update module go.opentelemetry.io/contrib/instrumentatio…
…n/net/http/otelhttp to v0.44.0 [security] (main) (grafana#10917) [![Mend Renovate](https://app.renovatebot.com/images/banner.svg)](https://renovatebot.com) This PR contains the following updates: | Package | Type | Update | Change | |---|---|---|---| | [go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp](https://togithub.com/open-telemetry/opentelemetry-go-contrib) | indirect | minor | `v0.42.0` -> `v0.44.0` | ### GitHub Vulnerability Alerts #### [CVE-2023-45142](https://togithub.com/open-telemetry/opentelemetry-go-contrib/security/advisories/GHSA-5r5m-65gx-7vrh) ### Summary OpenTelemetry-Go Contrib has a [handler wrapper `otelhttp`](https://togithub.com/open-telemetry/opentelemetry-go-contrib/blob/5f7e6ad5a49b45df45f61a1deb29d7f1158032df/instrumentation/net/http/otelhttp/handler.go#L63-L65) that adds the following labels by deafult that have unbound cardinality: - `http.user_agent` - `http.method` This leads to the server's potential memory exhaustion when many malicious requests are sent to it. ### Details HTTP header User-Agent or HTTP method for requests can be easily set by an attacker to be random and long. The library internally uses [httpconv.ServerRequest](https://togithub.com/open-telemetry/opentelemetry-go/blob/v1.12.0/semconv/internal/v2/http.go#L159) that records every value for HTTP [method](https://togithub.com/open-telemetry/opentelemetry-go/blob/38e1b499c3da3107694ad2660b3888eee9c8b896/semconv/internal/v2/http.go#L204) and [User-Agent](https://togithub.com/open-telemetry/opentelemetry-go/blob/38e1b499c3da3107694ad2660b3888eee9c8b896/semconv/internal/v2/http.go#L223). [This pull request](https://togithub.com/open-telemetry/opentelemetry-go-contrib/pull/4277) released with version 0.44.0 dixes this vulnerability The values collected for attribute `http.request.method` were changed to be restricted to a set of well-known values and other high cardinality attributes were removed. ### Impact In order to be affected program has to use [otelhttp.NewHandler](https://togithub.com/open-telemetry/opentelemetry-go-contrib/blob/5f7e6ad5a49b45df45f61a1deb29d7f1158032df/instrumentation/net/http/otelhttp/handler.go#L63-L65) wrapper and does not filter any unknown HTTP methods or User agents on the level of CDN, LB, previous middleware, etc. ### Others This vulnerability is similar but different from these known vulnerabilities: - GHSA-5r5m-65gx-7vrh ([open-telemetry/opentelemetry-go-contrib](https://togithub.com/open-telemetry/opentelemetry-go-contrib)) - GHSA-cg3q-j54f-5p7p ([prometheus/client_golang](https://togithub.com/prometheus/client_golang)) ### Workaround for affected versions As a workaround, [otelhttp.WithFilter()](https://pkg.go.dev/go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp/filters) can be used instead, but it requires manual careful configuration to not log certain requests entirely. --- ### Memory exhaustion in github.com/open-telemetry/opentelemetry-go-contrib [CVE-2023-45142](https://nvd.nist.gov/vuln/detail/CVE-2023-45142) / [GHSA-rcjv-mgp8-qvmr](https://togithub.com/advisories/GHSA-rcjv-mgp8-qvmr) / [GO-2023-2113](https://pkg.go.dev/vuln/GO-2023-2113) <details> <summary>More information</summary> #### Details Memory exhaustion in github.com/open-telemetry/opentelemetry-go-contrib #### Severity Unknown #### References - [https://github.com/open-telemetry/opentelemetry-go-contrib/security/advisories/GHSA-rcjv-mgp8-qvmr](https://togithub.com/open-telemetry/opentelemetry-go-contrib/security/advisories/GHSA-rcjv-mgp8-qvmr) - [open-telemetry/opentelemetry-go-contrib#4277 This data is provided by [OSV](https://osv.dev/vulnerability/GO-2023-2113) and the [Go Vulnerability Database](https://togithub.com/golang/vulndb) ([CC-BY 4.0](https://togithub.com/golang/vulndb#license)). </details> --- ### OpenTelemetry-Go Contrib vulnerable to denial of service in otelhttp due to unbound cardinality metrics [CVE-2023-45142](https://nvd.nist.gov/vuln/detail/CVE-2023-45142) / [GHSA-rcjv-mgp8-qvmr](https://togithub.com/advisories/GHSA-rcjv-mgp8-qvmr) <details> <summary>More information</summary> #### Details ##### Summary OpenTelemetry-Go Contrib has a [handler wrapper `otelhttp`](https://togithub.com/open-telemetry/opentelemetry-go-contrib/blob/5f7e6ad5a49b45df45f61a1deb29d7f1158032df/instrumentation/net/http/otelhttp/handler.go#L63-L65) that adds the following labels by deafult that have unbound cardinality: - `http.user_agent` - `http.method` This leads to the server's potential memory exhaustion when many malicious requests are sent to it. ##### Details HTTP header User-Agent or HTTP method for requests can be easily set by an attacker to be random and long. The library internally uses [httpconv.ServerRequest](https://togithub.com/open-telemetry/opentelemetry-go/blob/v1.12.0/semconv/internal/v2/http.go#L159) that records every value for HTTP [method](https://togithub.com/open-telemetry/opentelemetry-go/blob/38e1b499c3da3107694ad2660b3888eee9c8b896/semconv/internal/v2/http.go#L204) and [User-Agent](https://togithub.com/open-telemetry/opentelemetry-go/blob/38e1b499c3da3107694ad2660b3888eee9c8b896/semconv/internal/v2/http.go#L223). [This pull request](https://togithub.com/open-telemetry/opentelemetry-go-contrib/pull/4277) released with version 0.44.0 dixes this vulnerability The values collected for attribute `http.request.method` were changed to be restricted to a set of well-known values and other high cardinality attributes were removed. ##### Impact In order to be affected program has to use [otelhttp.NewHandler](https://togithub.com/open-telemetry/opentelemetry-go-contrib/blob/5f7e6ad5a49b45df45f61a1deb29d7f1158032df/instrumentation/net/http/otelhttp/handler.go#L63-L65) wrapper and does not filter any unknown HTTP methods or User agents on the level of CDN, LB, previous middleware, etc. ##### Others This vulnerability is similar but different from these known vulnerabilities: - GHSA-5r5m-65gx-7vrh ([open-telemetry/opentelemetry-go-contrib](https://togithub.com/open-telemetry/opentelemetry-go-contrib)) - GHSA-cg3q-j54f-5p7p ([prometheus/client_golang](https://togithub.com/prometheus/client_golang)) ##### Workaround for affected versions As a workaround, [otelhttp.WithFilter()](https://pkg.go.dev/go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp/filters) can be used instead, but it requires manual careful configuration to not log certain requests entirely. #### Severity - CVSS Score: 7.5 / 10 (High) - Vector String: `CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H` #### References - [https://github.com/open-telemetry/opentelemetry-go-contrib/security/advisories/GHSA-5r5m-65gx-7vrh](https://togithub.com/open-telemetry/opentelemetry-go-contrib/security/advisories/GHSA-5r5m-65gx-7vrh) - [https://github.com/open-telemetry/opentelemetry-go-contrib/security/advisories/GHSA-rcjv-mgp8-qvmr](https://togithub.com/open-telemetry/opentelemetry-go-contrib/security/advisories/GHSA-rcjv-mgp8-qvmr) - [https://nvd.nist.gov/vuln/detail/CVE-2023-45142](https://nvd.nist.gov/vuln/detail/CVE-2023-45142) - [open-telemetry/opentelemetry-go-contrib#4277 - [https://github.com/advisories/GHSA-cg3q-j54f-5p7p](https://togithub.com/advisories/GHSA-cg3q-j54f-5p7p) - [https://github.com/open-telemetry/opentelemetry-go-contrib](https://togithub.com/open-telemetry/opentelemetry-go-contrib) - [https://github.com/open-telemetry/opentelemetry-go-contrib/blob/5f7e6ad5a49b45df45f61a1deb29d7f1158032df/instrumentation/net/http/otelhttp/handler.go#L63-L65](https://togithub.com/open-telemetry/opentelemetry-go-contrib/blob/5f7e6ad5a49b45df45f61a1deb29d7f1158032df/instrumentation/net/http/otelhttp/handler.go#L63-L65) - [https://github.com/open-telemetry/opentelemetry-go-contrib/releases/tag/v1.19.0](https://togithub.com/open-telemetry/opentelemetry-go-contrib/releases/tag/v1.19.0) - [https://github.com/open-telemetry/opentelemetry-go/blob/38e1b499c3da3107694ad2660b3888eee9c8b896/semconv/internal/v2/http.go#L223](https://togithub.com/open-telemetry/opentelemetry-go/blob/38e1b499c3da3107694ad2660b3888eee9c8b896/semconv/internal/v2/http.go#L223) - [https://github.com/open-telemetry/opentelemetry-go/blob/v1.12.0/semconv/internal/v2/http.go#L159](https://togithub.com/open-telemetry/opentelemetry-go/blob/v1.12.0/semconv/internal/v2/http.go#L159) This data is provided by [OSV](https://osv.dev/vulnerability/GHSA-rcjv-mgp8-qvmr) and the [GitHub Advisory Database](https://togithub.com/github/advisory-database) ([CC-BY 4.0](https://togithub.com/github/advisory-database/blob/main/LICENSE.md)). </details> --- ### Configuration 📅 **Schedule**: Branch creation - "" (UTC), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Mend Renovate](https://www.mend.io/free-developer-tools/renovate/). View repository job log [here](https://developer.mend.io/github/grafana/loki). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNy4xOS4yIiwidXBkYXRlZEluVmVyIjoiMzcuMTkuMiIsInRhcmdldEJyYW5jaCI6Im1haW4ifQ==--> Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
- Loading branch information