Executive Summary

The vulnerability in OpenTelemetry-cpp occurs because the OTLP HTTP exporters (for traces, metrics, and logs) read the entire HTTP response into an in-memory vector of bytes without any size limit. This means that if the collector endpoint is attacker-controlled or if a network attacker can intercept the connection, they can send an excessively large HTTP response. The exporter will then allocate a large amount of memory to hold this response, potentially exhausting system memory.

This unbounded memory allocation can lead to out-of-memory (OOM) conditions, causing the instrumented process to crash or become unavailable. The issue is due to the lack of size validation on the HTTP response body before reading it into memory.

The vulnerability was fixed in OpenTelemetry-cpp version 1.27.0 by introducing maximum size limits on HTTP response bodies to prevent excessive memory consumption.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can impact you by causing your application or service that uses OpenTelemetry-cpp OTLP HTTP exporters to consume excessive memory when processing HTTP responses from the collector endpoint.

If an attacker controls the collector endpoint or can perform a man-in-the-middle (MITM) attack on the connection, they can send very large HTTP responses that cause the exporter to allocate large amounts of memory.

This can lead to memory exhaustion, resulting in out-of-memory (OOM) conditions that crash the process or degrade availability, effectively causing a denial-of-service (DoS) condition.

The vulnerability has a moderate severity with a CVSS score of 5.3, primarily impacting availability.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability involves the OTLP HTTP exporter in opentelemetry-cpp reading unbounded HTTP response bodies into memory, potentially causing memory exhaustion. Detection can focus on monitoring for unusually high memory usage or crashes in processes using vulnerable versions of opentelemetry-cpp (prior to 1.27.0).

Since the vulnerability is triggered by large HTTP responses from the configured collector endpoint, network monitoring tools can be used to inspect HTTP traffic to the OTLP endpoint for abnormally large responses.

Suggested commands to detect potential exploitation or vulnerability presence include:

• Use system monitoring commands to check for high memory usage or crashes in processes using opentelemetry-cpp, e.g., `top`, `htop`, or `ps aux --sort=-rss | head`.
• Capture and analyze network traffic to the OTLP HTTP endpoint using tools like `tcpdump` or `wireshark` to identify unusually large HTTP response bodies.
• Use curl or similar HTTP clients to manually query the configured collector endpoint and observe response sizes, e.g., `curl -v <collector_endpoint>`.
• Check the version of opentelemetry-cpp in use to confirm if it is prior to 1.27.0, which is vulnerable.

Useful 0 Not Useful 0

Mitigation Strategies

The primary mitigation step is to upgrade the opentelemetry-cpp library to version 1.27.0 or later, where the vulnerability has been fixed by implementing maximum size limits on HTTP response bodies.

Additional immediate steps include:

• Ensure that the configured OTLP collector endpoint is trusted and not attacker-controlled.
• Use network security measures to prevent man-in-the-middle (MITM) attacks on the exporter connection, such as enforcing TLS with certificate validation.
• Monitor application memory usage and logs for signs of memory exhaustion or crashes related to the OTLP HTTP exporter.
• If upgrading immediately is not possible, consider disabling or limiting the use of OTLP HTTP exporters until a patch can be applied.

Useful 0 Not Useful 0