CVE-2023-25151 – This vulnerability in OpenTelemetry Go instrume... (How to Fix)

Q: What is the severity of CVE-2023-25151?

CVE-2023-25151 has a CVSS score of 7.5 (HIGH). This vulnerability in OpenTelemetry Go instrumentation allows attackers to cause denial-of-service through memory exhaustion. By sending HTTP requests with constantly changing query strings, attackers can trigger unbounded memory allocation in metrics collection. This affects any service using the vulnerable OpenTelemetry Go HTTP instrumentation library.

📋 TL;DR

This vulnerability in OpenTelemetry Go instrumentation allows attackers to cause denial-of-service through memory exhaustion. By sending HTTP requests with constantly changing query strings, attackers can trigger unbounded memory allocation in metrics collection. This affects any service using the vulnerable OpenTelemetry Go HTTP instrumentation library.

💻 Affected Systems

Products:

opentelemetry-go-contrib instrumentation for net/http/otelhttp

Versions: Version 0.38.0 specifically

Operating Systems: All operating systems running Go applications

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects users of cumulative temporality metrics (default configuration). Applications must be using the specific HTTP instrumentation from the contrib package.

📦 What is this software?

Opentelemetry Go Contrib by Linuxfoundation

View all CVEs affecting Opentelemetry Go Contrib →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete service outage due to memory exhaustion, potentially affecting all services using the vulnerable library across an environment.

🟠

Likely Case

Gradual performance degradation leading to service instability and potential outages under sustained attack.

🟢

If Mitigated

Minimal impact with proper monitoring and rapid response to unusual memory patterns.

🌐 Internet-Facing: HIGH - Internet-facing services are directly exposed to attackers who can craft malicious requests with random query strings.

🏢 Internal Only: MEDIUM - Internal services could still be targeted by authenticated attackers or through other compromised systems.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires sending HTTP requests with varying query strings, which is trivial to automate. No authentication needed for internet-facing services.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 0.39.0

Vendor Advisory: https://github.com/open-telemetry/opentelemetry-go-contrib/security/advisories/GHSA-5r5m-65gx-7vrh

Restart Required: Yes

Instructions:

1. Update go.mod to require go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.39.0 or higher. 2. Run 'go mod tidy'. 3. Rebuild and redeploy your application. 4. Restart affected services.

🔧 Temporary Workarounds

No known workarounds

all

The vendor advisory states there are no known workarounds for this vulnerability.

🧯 If You Can't Patch

Implement rate limiting on HTTP endpoints to restrict request volume
Deploy memory monitoring with aggressive alerting on unusual allocation patterns

🔍 How to Verify

Check if Vulnerable:

Check your go.mod file for 'go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp' version. If it's exactly 0.38.0, you're vulnerable.

Check Version:

grep 'go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp' go.mod

Verify Fix Applied:

After updating, verify go.mod shows version 0.39.0 or higher for the otelhttp dependency.

📡 Detection & Monitoring

Log Indicators:

Rapid increase in unique URI patterns in access logs
Unusual memory growth patterns in application metrics

Network Indicators:

High volume of HTTP requests with random query parameters
Requests with unusually long or complex query strings

SIEM Query:

source="application_logs" AND ("otelhttp" OR "opentelemetry") AND (memory_usage > threshold OR "out of memory")

📊 Metadata

CVE ID: CVE-2023-25151

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-400

Published: February 8, 2023

Last Updated: November 21, 2024

🔗 References

https://github.com/open-telemetry/opentelemetry-go-contrib/security/advisories/GHSA-5r5m-65gx-7vrh Exploit,Vendor Advisory
https://github.com/open-telemetry/opentelemetry-go/blob/v1.12.0/semconv/internal/v2/http.go#L159 Vendor Advisory
https://github.com/open-telemetry/opentelemetry-go-contrib/security/advisories/GHSA-5r5m-65gx-7vrh Exploit,Vendor Advisory
https://github.com/open-telemetry/opentelemetry-go/blob/v1.12.0/semconv/internal/v2/http.go#L159 Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-25151, you might also want to check these: