CVE-2023-43810
📋 TL;DR
This vulnerability in OpenTelemetry Python autoinstrumentation allows attackers to cause memory exhaustion by sending HTTP requests with random, long HTTP method values. The unbound cardinality of the 'http_method' label leads to excessive memory consumption when many malicious requests are processed. Affected systems are those using OpenTelemetry Python autoinstrumentation for HTTP handlers without proper HTTP method filtering.
💻 Affected Systems
- OpenTelemetry Python autoinstrumentation
📦 What is this software?
Opentelemetry by Opentelemetry
⚠️ Risk & Real-World Impact
Worst Case
Complete server memory exhaustion leading to denial of service, application crashes, and potential data loss or corruption.
Likely Case
Degraded performance, increased memory usage, and potential service disruption under sustained attack.
If Mitigated
Minimal impact with proper HTTP method validation and rate limiting in place.
🎯 Exploit Status
Attack requires sending HTTP requests with unusual method names, which is trivial to automate. No authentication needed for internet-facing applications.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 0.41b0
Vendor Advisory: https://github.com/open-telemetry/opentelemetry-python-contrib/security/advisories/GHSA-5rv5-6h4r-h22v
Restart Required: Yes
Instructions:
1. Update OpenTelemetry Python autoinstrumentation package to version 0.41b0 or later. 2. Run: pip install --upgrade opentelemetry-instrumentation==0.41b0. 3. Restart your application to apply the fix.
🔧 Temporary Workarounds
HTTP Method Filtering
allImplement HTTP method validation at CDN, load balancer, or application middleware level to reject unknown or malformed HTTP methods.
Disable HTTP Method Label
allConfigure OpenTelemetry to exclude the http_method label from metrics collection.
OTEL_PYTHON_INSTRUMENTATION_HTTP_CAPTURE_HTTP_METHOD=false
🧯 If You Can't Patch
- Implement HTTP method validation at network perimeter (CDN/LB) to only allow standard HTTP methods (GET, POST, PUT, DELETE, etc.)
- Deploy rate limiting and request filtering to block requests with unusually long or random HTTP methods
🔍 How to Verify
Check if Vulnerable:
Check if OpenTelemetry Python autoinstrumentation version is below 0.41b0 and if HTTP handler instrumentation is enabled.Check Version:
pip show opentelemetry-instrumentation | grep VersionVerify Fix Applied:
Verify OpenTelemetry Python autoinstrumentation version is 0.41b0 or higher and test that HTTP requests with random method names no longer cause memory spikes.📡 Detection & Monitoring
Log Indicators:
- Unusual HTTP method names in access logs
- Rapid memory consumption increases
- OpenTelemetry metrics with unusual http_method values
Network Indicators:
- HTTP requests with non-standard method names
- High volume of requests with varying method values
SIEM Query:
source="web_logs" AND http_method NOT IN ("GET", "POST", "PUT", "DELETE", "HEAD", "OPTIONS", "PATCH")🔗 References
- https://github.com/open-telemetry/opentelemetry-python-contrib/commit/6007e0c013071e7f8b9612d3bc68aeb9d600d74e
- https://github.com/open-telemetry/opentelemetry-python-contrib/releases/tag/v0.41b0
- https://github.com/open-telemetry/opentelemetry-python-contrib/security/advisories/GHSA-5rv5-6h4r-h22v
- https://github.com/open-telemetry/opentelemetry-python-contrib/commit/6007e0c013071e7f8b9612d3bc68aeb9d600d74e
- https://github.com/open-telemetry/opentelemetry-python-contrib/releases/tag/v0.41b0
- https://github.com/open-telemetry/opentelemetry-python-contrib/security/advisories/GHSA-5rv5-6h4r-h22v
