CVE-2023-45142 – OpenTelemetry-Go Contrib's otelhttp.NewHandler ... (How to Fix)

📋 TL;DR

OpenTelemetry-Go Contrib's otelhttp.NewHandler wrapper has unbound cardinality for HTTP method and User-Agent attributes, allowing attackers to send requests with random/long values to cause memory exhaustion. Affects programs using otelhttp.NewHandler without filtering unknown HTTP methods or User-Agents at CDN/LB/middleware levels.

💻 Affected Systems

Products:

OpenTelemetry-Go Contrib

Versions: Versions before 0.44.0

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects programs using otelhttp.NewHandler wrapper without filtering

📦 What is this software?

Opentelemetry by Opentelemetry

View all CVEs affecting Opentelemetry →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete server memory exhaustion leading to denial of service and potential system crash

🟠

Likely Case

Degraded performance and memory pressure from high-cardinality attribute collection

🟢

If Mitigated

Minimal impact with proper filtering or patched versions

🌐 Internet-Facing: HIGH - Attackers can easily craft malicious HTTP requests

🏢 Internal Only: MEDIUM - Requires internal attacker or compromised system

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Simple HTTP request manipulation required, no authentication needed

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 0.44.0 and later

Vendor Advisory: https://github.com/open-telemetry/opentelemetry-go-contrib/security/advisories/GHSA-5r5m-65gx-7vrh

Restart Required: Yes

Instructions:

1. Update OpenTelemetry-Go Contrib to version 0.44.0 or later
2. Update go.mod to require patched version
3. Rebuild and redeploy application
4. Restart affected services

🔧 Temporary Workarounds

Use otelhttp.WithFilter()

all

Manually configure filtering to restrict HTTP methods and User-Agents

// Example: otelhttp.NewHandler(handler, "handler-name", otelhttp.WithFilter(filterFunc))

🧯 If You Can't Patch

Implement CDN/Load Balancer filtering for unknown HTTP methods and User-Agents
Add middleware to sanitize or reject requests with suspicious User-Agent headers

🔍 How to Verify

Check if Vulnerable:

Check if using OpenTelemetry-Go Contrib <0.44.0 and otelhttp.NewHandler

Check Version:

go list -m go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp

Verify Fix Applied:

Verify version is ≥0.44.0 and check that http.request.method uses restricted values

📡 Detection & Monitoring

Log Indicators:

Unusual high memory usage patterns
Multiple requests with random/long User-Agent strings
HTTP methods outside standard set (GET, POST, PUT, etc.)

Network Indicators:

High volume of requests with varying User-Agent headers
Requests with non-standard HTTP methods

SIEM Query:

source="application_logs" AND ("http.user_agent" OR "http.method") AND (cardinality > threshold)

📊 Metadata

CVE ID: CVE-2023-45142

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-770

Published: October 12, 2023

Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-45142, you might also want to check these: