CVE-2023-45142 Overview
CVE-2023-45142 is a resource exhaustion vulnerability affecting OpenTelemetry-Go Contrib, a collection of third-party packages for OpenTelemetry-Go. The vulnerability exists in the otelhttp.NewHandler wrapper, which adds labels for http.user_agent and http.method with unbounded cardinality. This design flaw allows attackers to exhaust server memory by sending numerous malicious requests with randomized and lengthy User-Agent headers or HTTP methods.
The library internally uses httpconv.ServerRequest to record every unique value for the HTTP method and User-Agent attributes. When an attacker can control these values, they can generate an unlimited number of unique metric labels, leading to uncontrolled memory consumption and eventual denial of service.
Critical Impact
Applications using OpenTelemetry-Go Contrib's HTTP handler wrapper are vulnerable to memory exhaustion attacks, potentially causing complete service unavailability without requiring any authentication.
Affected Products
- OpenTelemetry-Go Contrib versions prior to 0.44.0
- Applications using otelhttp.NewHandler wrapper without CDN/LB filtering
- Go applications with OpenTelemetry instrumentation (cpe:2.3:a:opentelemetry:opentelemetry:*:*:*:*:*:go:*:*)
Discovery Timeline
- October 12, 2023 - CVE-2023-45142 published to NVD
- November 21, 2024 - Last updated in NVD database
Technical Details for CVE-2023-45142
Vulnerability Analysis
This vulnerability represents a classic resource exhaustion attack enabled by improper handling of high-cardinality metric labels. The otelhttp handler wrapper is designed to collect telemetry data from HTTP requests, including the User-Agent header and HTTP method. However, the implementation records these values without any bounds checking or normalization.
In a typical deployment, HTTP methods should be limited to a well-known set (GET, POST, PUT, DELETE, etc.), and User-Agent strings, while varied, should be filtered or normalized when used as metric labels. The vulnerable code path accepts any arbitrary value for these attributes and creates unique metric labels for each, storing them in memory indefinitely.
For an attack to succeed, the target application must use the otelhttp.NewHandler wrapper and must not have implemented filtering for unknown HTTP methods or User-Agent strings at the CDN, load balancer, or middleware level. This makes applications that rely solely on the OpenTelemetry library for HTTP handling particularly vulnerable.
Root Cause
The root cause lies in the httpconv.ServerRequest function which records every unique value for the http.method and http.user_agent attributes without any cardinality limits. The handler code at instrumentation/net/http/otelhttp/handler.go creates metric labels directly from user-controlled input values. This violates the security principle of bounded resource allocation, where user-controlled data should never directly influence the growth of server-side data structures without explicit limits.
Attack Vector
The attack vector is network-based and requires no authentication or special privileges. An attacker sends a large volume of HTTP requests to an affected server, each containing a unique, randomly generated User-Agent header or using non-standard HTTP methods.
Each unique combination creates a new entry in the metrics system, consuming server memory. The attacker can easily automate this process using common HTTP tools, setting the User-Agent header to random strings of arbitrary length. Over time, or with sufficient request volume, the server's available memory is exhausted, leading to service degradation or complete unavailability.
The vulnerability is particularly dangerous because the malicious requests may appear legitimate at the network level and could bypass simple rate limiting that doesn't account for header content variability.
Detection Methods for CVE-2023-45142
Indicators of Compromise
- Rapid increase in memory consumption on servers running OpenTelemetry-Go instrumented applications
- Unusually high cardinality in OpenTelemetry metrics for http.user_agent or http.method attributes
- HTTP access logs showing requests with abnormally long or randomized User-Agent strings
- Requests using non-standard HTTP methods (anything other than GET, POST, PUT, DELETE, PATCH, HEAD, OPTIONS, TRACE, CONNECT)
Detection Strategies
- Monitor memory usage patterns on application servers for unexpected growth correlated with HTTP traffic
- Implement alerting on OpenTelemetry metric cardinality thresholds for HTTP-related attributes
- Analyze HTTP access logs for User-Agent diversity anomalies using entropy analysis
- Deploy application performance monitoring (APM) to track metric storage growth over time
Monitoring Recommendations
- Configure alerts for memory utilization exceeding baseline thresholds on instrumented services
- Set up cardinality monitoring for OpenTelemetry metrics using Prometheus or compatible backends
- Enable verbose logging for HTTP requests with non-standard methods at the edge layer
- Implement request sampling to identify sources of high-cardinality metric generation
How to Mitigate CVE-2023-45142
Immediate Actions Required
- Upgrade OpenTelemetry-Go Contrib to version 0.44.0 or later immediately
- Review application code for usage of otelhttp.NewHandler wrapper
- Implement HTTP method and User-Agent filtering at CDN, load balancer, or reverse proxy level
- Apply the otelhttp.WithFilter() workaround if immediate upgrade is not possible
Patch Information
Version 0.44.0 of OpenTelemetry-Go Contrib addresses this vulnerability by restricting the values collected for the http.request.method attribute to a set of well-known HTTP methods and removing other high cardinality attributes. The fix ensures that non-standard HTTP methods are labeled as unknown rather than recorded verbatim, preventing unbounded cardinality growth. The patch is available through the GitHub Release v1.19.0. Technical details of the fix can be found in the GitHub Pull Request #4277. Additional information is available in the vendor security advisories.
Workarounds
- Use otelhttp.WithFilter() to exclude requests with non-standard HTTP methods or suspicious User-Agent patterns from telemetry collection
- Deploy a reverse proxy or WAF configured to reject requests with non-standard HTTP methods before they reach the application
- Implement application-level middleware to normalize or truncate User-Agent strings before OpenTelemetry processing
- Configure CDN or load balancer rules to filter requests with User-Agent headers exceeding reasonable length thresholds
# Example: Configure nginx to filter non-standard HTTP methods
# Add to your nginx server configuration
if ($request_method !~ ^(GET|HEAD|POST|PUT|DELETE|PATCH|OPTIONS)$) {
return 405;
}
# Limit User-Agent header length at the proxy level
# This requires lua-nginx-module or similar
# set $ua $http_user_agent;
# if ($ua ~ ".{500,}") {
# return 400;
# }
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
