Skip to main content
Version: latest

CVE-2023-47108

CVE Details

Visit the official vulnerability details page for CVE-2023-47108 to learn more.

Initial Publication

10/25/2024

Last Update

12/16/2024

Third Party Dependency

go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc

NIST CVE Summary

OpenTelemetry-Go Contrib is a collection of third-party packages for OpenTelemetry-Go. Prior to version 0.46.0, the grpc Unary Server Interceptor out of the box adds labels `net.peer.sock.addr` and `net.peer.sock.port` that have unbound cardinality. It leads to the server's potential memory exhaustion when many malicious requests are sent. An attacker can easily flood the peer address and port for requests. Version 0.46.0 contains a fix for this issue. As a workaround to stop being affected, a view removing the attributes can be used. The other possibility is to disable grpc metrics instrumentation by passing `otelgrpc.WithMeterProvider` option with `noop.NewMeterProvider`.

CVE Severity

7.5

Our Official Summary

This vulnerability is reported on the Kubernetes images such as apiserver, kube-controller-manager, kube-proxy and kube-scheduler. This flaw is from the open telemetry otelgrpc handler. Kubernetes components use open telemetry only for tracing and not for metrics collection, making this vulnerability a false positive and the risk of exploitation low.

Status

Ongoing

Affected Products & Versions

VersionPalette EnterprisePalette Enterprise AirgapVerteXVerteX Airgap
4.5.15⚠️ Impacted⚠️ Impacted⚠️ Impacted⚠️ Impacted
4.5.11⚠️ Impacted⚠️ Impacted⚠️ Impacted⚠️ Impacted
4.5.10⚠️ Impacted⚠️ Impacted⚠️ Impacted⚠️ Impacted
4.5.8⚠️ Impacted⚠️ Impacted⚠️ Impacted⚠️ Impacted
4.5.5⚠️ Impacted⚠️ Impacted⚠️ Impacted⚠️ Impacted
4.5.4⚠️ Impacted⚠️ Impacted⚠️ Impacted⚠️ Impacted
4.4.20⚠️ Impacted⚠️ Impacted⚠️ Impacted⚠️ Impacted

Revision History

DateRevision
12/16/2024Impacted versions changed from 4.5.4, 4.5.5, 4.5.8, 4.4.20, 4.5.10, 4.5.11 to 4.5.4, 4.5.5, 4.5.8, 4.4.20, 4.5.10, 4.5.11, 4.5.15
12/11/2024Official summary revised: This vulnerability is reported on the Kubernetes images such as apiserver, kube-controller-manager, kube-proxy and kube-scheduler. This flaw is from the open telemetry otelgrpc handler. Kubernetes components use open telemetry only for tracing and not for metrics collection, making this vulnerability a false positive and the risk of exploitation low.
11/15/2024Impacted versions changed from 4.5.4, 4.5.5, 4.5.8, 4.4.20, 4.5.10 to 4.5.4, 4.5.5, 4.5.8, 4.4.20, 4.5.10, 4.5.11
11/15/2024Impacted versions changed from 4.5.4, 4.5.5, 4.5.8, 4.4.20 to 4.5.4, 4.5.5, 4.5.8, 4.4.20, 4.5.10
11/13/2024Impacted versions changed from 4.5.4, 4.5.5, 4.5.8 to 4.5.4, 4.5.5, 4.5.8, 4.4.20
11/10/2024Impacted versions changed from 4.5.4, 4.5.5 to 4.5.4, 4.5.5, 4.5.8
10/27/2024Impacted versions changed from 4.5.4 to 4.5.4, 4.5.5