OpenTelemetry-Go Contrib is a collection of third-party packages for OpenTelemetry-Go. A handler wrapper out of the box adds labels `http.user_agent` and `http.method` that have unbound cardinality. It leads to the server's potential memory exhaustion when many malicious requests are sent to it. HTTP header User-Agent or HTTP method for requests can be easily set by an attacker to be random and long. The library internally uses `httpconv.ServerRequest` that records every value for HTTP `method` and `User-Agent`. In order to be affected, a program has to use the `otelhttp.NewHandler` wrapper and not filter any unknown HTTP methods or User agents on the level of CDN, LB, previous middleware, etc. Version 0.44.0 fixed this issue when the values collected for attribute `http.request.method` were changed to be restricted to a set of well-known values and other high cardinality attributes were removed. As a workaround to stop being affected, `otelhttp.WithFilter()` can be used, but it requires manual careful configuration to not log certain requests entirely. For convenience and safe usage of this library, it should by default mark with the label `unknown` non-standard HTTP methods and User agents to show that such requests were made but do not increase cardinality. In case someone wants to stay with the current behavior, library API should allow to enable it.

The version of prometheus / opa / docker-buildx / kubernetes / cri-tools installed on the remote CBL Mariner 2.0 host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the CVE-2023-45142 advisory.

  - OpenTelemetry-Go Contrib is a collection of third-party packages for OpenTelemetry-Go. A handler wrapper     out of the box adds labels `http.user_agent` and `http.method` that have unbound cardinality. It leads to     the server's potential memory exhaustion when many malicious requests are sent to it. HTTP header User-     Agent or HTTP method for requests can be easily set by an attacker to be random and long. The library     internally uses `httpconv.ServerRequest` that records every value for HTTP `method` and `User-Agent`. In     order to be affected, a program has to use the `otelhttp.NewHandler` wrapper and not filter any unknown     HTTP methods or User agents on the level of CDN, LB, previous middleware, etc. Version 0.44.0 fixed this     issue when the values collected for attribute `http.request.method` were changed to be restricted to a set     of well-known values and other high cardinality attributes were removed. As a workaround to stop being     affected, `otelhttp.WithFilter()` can be used, but it requires manual careful configuration to not log     certain requests entirely. For convenience and safe usage of this library, it should by default mark with     the label `unknown` non-standard HTTP methods and User agents to show that such requests were made but do     not increase cardinality. In case someone wants to stay with the current behavior, library API should     allow to enable it. (CVE-2023-45142)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 8 / 9 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2024:4118 advisory.

    Red Hat Ceph Storage is a scalable, open, software-defined storage platform that combines the most stable     version of the Ceph storage system with a Ceph management platform, deployment utilities, and support     services.

    Security Fix(es):
    * CVE-2023-39325 golang: net/http, x/net/http2: rapid stream resets can cause excessive work     (CVE-2023-44487)
    *  grafana-container: go-git: Maliciously crafted Git server replies can lead to path traversal and RCE on     go-git clients (CVE-2023-49569)
    * opentelemetry: DoS vulnerability in otelhttp (CVE-2023-45142)

    These new packages include numerous security updates, enhancements, and bug fixes. Space precludes     documenting all of these changes in this advisory. Users are directed to the Red Hat Ceph Storage Release     Notes for information on the most significant of these changes:

    https://access.redhat.com/documentation/en-us/red_hat_ceph_storage/5.3/html/release_notes/index

Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Fedora 40 host has a package installed that is affected by a vulnerability as referenced in the FEDORA-2024-19d093c14d advisory.

  - OpenTelemetry-Go Contrib is a collection of third-party packages for OpenTelemetry-Go. A handler wrapper     out of the box adds labels `http.user_agent` and `http.method` that have unbound cardinality. It leads to     the server's potential memory exhaustion when many malicious requests are sent to it. HTTP header User-     Agent or HTTP method for requests can be easily set by an attacker to be random and long. The library     internally uses `httpconv.ServerRequest` that records every value for HTTP `method` and `User-Agent`. In     order to be affected, a program has to use the `otelhttp.NewHandler` wrapper and not filter any unknown     HTTP methods or User agents on the level of CDN, LB, previous middleware, etc. Version 0.44.0 fixed this     issue when the values collected for attribute `http.request.method` were changed to be restricted to a set     of well-known values and other high cardinality attributes were removed. As a workaround to stop being     affected, `otelhttp.WithFilter()` can be used, but it requires manual careful configuration to not log     certain requests entirely. For convenience and safe usage of this library, it should by default mark with     the label `unknown` non-standard HTTP methods and User agents to show that such requests were made but do     not increase cardinality. In case someone wants to stay with the current behavior, library API should     allow to enable it. (CVE-2023-45142)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Fedora 39 host has a package installed that is affected by a vulnerability as referenced in the FEDORA-2024-22b915e51a advisory.

  - OpenTelemetry-Go Contrib is a collection of third-party packages for OpenTelemetry-Go. A handler wrapper     out of the box adds labels `http.user_agent` and `http.method` that have unbound cardinality. It leads to     the server's potential memory exhaustion when many malicious requests are sent to it. HTTP header User-     Agent or HTTP method for requests can be easily set by an attacker to be random and long. The library     internally uses `httpconv.ServerRequest` that records every value for HTTP `method` and `User-Agent`. In     order to be affected, a program has to use the `otelhttp.NewHandler` wrapper and not filter any unknown     HTTP methods or User agents on the level of CDN, LB, previous middleware, etc. Version 0.44.0 fixed this     issue when the values collected for attribute `http.request.method` were changed to be restricted to a set     of well-known values and other high cardinality attributes were removed. As a workaround to stop being     affected, `otelhttp.WithFilter()` can be used, but it requires manual careful configuration to not log     certain requests entirely. For convenience and safe usage of this library, it should by default mark with     the label `unknown` non-standard HTTP methods and User agents to show that such requests were made but do     not increase cardinality. In case someone wants to stay with the current behavior, library API should     allow to enable it. (CVE-2023-45142)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The version of cri-tools installed on the remote host is prior to 1.29.0-1. It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2-2024-2446 advisory.

  - A malicious HTTP sender can use chunk extensions to cause a receiver reading from a request or response     body to read many more bytes from the network than are in the body. A malicious HTTP client can further     exploit this to cause a server to automatically read a large amount of data (up to about 1GiB) when a     handler fails to read the entire body of a request. Chunk extensions are a little-used HTTP feature which     permit including additional metadata in a request or response body sent using the chunked encoding. The     net/http chunked encoding reader discards this metadata. A sender can exploit this by inserting a large     metadata segment with each byte transferred. The chunk reader now produces an error if the ratio of real     body to encoded bytes grows too small. (CVE-2023-39326)

  - Text nodes not in the HTML namespace are incorrectly literally rendered, causing text which should be     escaped to not be. This could lead to an XSS attack. (CVE-2023-3978)

  - OpenTelemetry-Go Contrib is a collection of third-party packages for OpenTelemetry-Go. A handler wrapper     out of the box adds labels `http.user_agent` and `http.method` that have unbound cardinality. It leads to     the server's potential memory exhaustion when many malicious requests are sent to it. HTTP header User-     Agent or HTTP method for requests can be easily set by an attacker to be random and long. The library     internally uses `httpconv.ServerRequest` that records every value for HTTP `method` and `User-Agent`. In     order to be affected, a program has to use the `otelhttp.NewHandler` wrapper and not filter any unknown     HTTP methods or User agents on the level of CDN, LB, previous middleware, etc. Version 0.44.0 fixed this     issue when the values collected for attribute `http.request.method` were changed to be restricted to a set     of well-known values and other high cardinality attributes were removed. As a workaround to stop being     affected, `otelhttp.WithFilter()` can be used, but it requires manual careful configuration to not log     certain requests entirely. For convenience and safe usage of this library, it should by default mark with     the label `unknown` non-standard HTTP methods and User agents to show that such requests were made but do     not increase cardinality. In case someone wants to stay with the current behavior, library API should     allow to enable it. (CVE-2023-45142)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2023-2024-498 advisory.

  - A malicious HTTP/2 client which rapidly creates requests and immediately resets them can cause excessive     server resource consumption. While the total number of requests is bounded by the     http2.Server.MaxConcurrentStreams setting, resetting an in-progress request allows the attacker to create     a new request while the existing one is still executing. With the fix applied, HTTP/2 servers now bound     the number of simultaneously executing handler goroutines to the stream concurrency limit     (MaxConcurrentStreams). New requests arriving when at the limit (which can only happen after the client     has reset an existing, in-flight request) will be queued until a handler exits. If the request queue grows     too large, the server will terminate the connection. This issue is also fixed in golang.org/x/net/http2     for users manually configuring HTTP/2. The default stream concurrency limit is 250 streams (requests) per     HTTP/2 connection. This value may be adjusted using the golang.org/x/net/http2 package; see the     Server.MaxConcurrentStreams setting and the ConfigureServer function. (CVE-2023-39325)

  - A malicious HTTP sender can use chunk extensions to cause a receiver reading from a request or response     body to read many more bytes from the network than are in the body. A malicious HTTP client can further     exploit this to cause a server to automatically read a large amount of data (up to about 1GiB) when a     handler fails to read the entire body of a request. Chunk extensions are a little-used HTTP feature which     permit including additional metadata in a request or response body sent using the chunked encoding. The     net/http chunked encoding reader discards this metadata. A sender can exploit this by inserting a large     metadata segment with each byte transferred. The chunk reader now produces an error if the ratio of real     body to encoded bytes grows too small. (CVE-2023-39326)

  - OpenTelemetry-Go Contrib is a collection of third-party packages for OpenTelemetry-Go. A handler wrapper     out of the box adds labels `http.user_agent` and `http.method` that have unbound cardinality. It leads to     the server's potential memory exhaustion when many malicious requests are sent to it. HTTP header User-     Agent or HTTP method for requests can be easily set by an attacker to be random and long. The library     internally uses `httpconv.ServerRequest` that records every value for HTTP `method` and `User-Agent`. In     order to be affected, a program has to use the `otelhttp.NewHandler` wrapper and not filter any unknown     HTTP methods or User agents on the level of CDN, LB, previous middleware, etc. Version 0.44.0 fixed this     issue when the values collected for attribute `http.request.method` were changed to be restricted to a set     of well-known values and other high cardinality attributes were removed. As a workaround to stop being     affected, `otelhttp.WithFilter()` can be used, but it requires manual careful configuration to not log     certain requests entirely. For convenience and safe usage of this library, it should by default mark with     the label `unknown` non-standard HTTP methods and User agents to show that such requests were made but do     not increase cardinality. In case someone wants to stay with the current behavior, library API should     allow to enable it. (CVE-2023-45142)

  - OpenTelemetry-Go Contrib is a collection of third-party packages for OpenTelemetry-Go. Prior to version     0.46.0, the grpc Unary Server Interceptor out of the box adds labels `net.peer.sock.addr` and     `net.peer.sock.port` that have unbound cardinality. It leads to the server's potential memory exhaustion     when many malicious requests are sent. An attacker can easily flood the peer address and port for     requests. Version 0.46.0 contains a fix for this issue. As a workaround to stop being affected, a view     removing the attributes can be used. The other possibility is to disable grpc metrics instrumentation by     passing `otelgrpc.WithMeterProvider` option with `noop.NewMeterProvider`. (CVE-2023-47108)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The version of amazon-cloudwatch-agent installed on the remote host is prior to 1.300032.3-1. It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2-2024-2424 advisory.

  - A malicious HTTP/2 client which rapidly creates requests and immediately resets them can cause excessive     server resource consumption. While the total number of requests is bounded by the     http2.Server.MaxConcurrentStreams setting, resetting an in-progress request allows the attacker to create     a new request while the existing one is still executing. With the fix applied, HTTP/2 servers now bound     the number of simultaneously executing handler goroutines to the stream concurrency limit     (MaxConcurrentStreams). New requests arriving when at the limit (which can only happen after the client     has reset an existing, in-flight request) will be queued until a handler exits. If the request queue grows     too large, the server will terminate the connection. This issue is also fixed in golang.org/x/net/http2     for users manually configuring HTTP/2. The default stream concurrency limit is 250 streams (requests) per     HTTP/2 connection. This value may be adjusted using the golang.org/x/net/http2 package; see the     Server.MaxConcurrentStreams setting and the ConfigureServer function. (CVE-2023-39325)

  - A malicious HTTP sender can use chunk extensions to cause a receiver reading from a request or response     body to read many more bytes from the network than are in the body. A malicious HTTP client can further     exploit this to cause a server to automatically read a large amount of data (up to about 1GiB) when a     handler fails to read the entire body of a request. Chunk extensions are a little-used HTTP feature which     permit including additional metadata in a request or response body sent using the chunked encoding. The     net/http chunked encoding reader discards this metadata. A sender can exploit this by inserting a large     metadata segment with each byte transferred. The chunk reader now produces an error if the ratio of real     body to encoded bytes grows too small. (CVE-2023-39326)

  - OpenTelemetry-Go Contrib is a collection of third-party packages for OpenTelemetry-Go. A handler wrapper     out of the box adds labels `http.user_agent` and `http.method` that have unbound cardinality. It leads to     the server's potential memory exhaustion when many malicious requests are sent to it. HTTP header User-     Agent or HTTP method for requests can be easily set by an attacker to be random and long. The library     internally uses `httpconv.ServerRequest` that records every value for HTTP `method` and `User-Agent`. In     order to be affected, a program has to use the `otelhttp.NewHandler` wrapper and not filter any unknown     HTTP methods or User agents on the level of CDN, LB, previous middleware, etc. Version 0.44.0 fixed this     issue when the values collected for attribute `http.request.method` were changed to be restricted to a set     of well-known values and other high cardinality attributes were removed. As a workaround to stop being     affected, `otelhttp.WithFilter()` can be used, but it requires manual careful configuration to not log     certain requests entirely. For convenience and safe usage of this library, it should by default mark with     the label `unknown` non-standard HTTP methods and User agents to show that such requests were made but do     not increase cardinality. In case someone wants to stay with the current behavior, library API should     allow to enable it. (CVE-2023-45142)

  - OpenTelemetry-Go Contrib is a collection of third-party packages for OpenTelemetry-Go. Prior to version     0.46.0, the grpc Unary Server Interceptor out of the box adds labels `net.peer.sock.addr` and     `net.peer.sock.port` that have unbound cardinality. It leads to the server's potential memory exhaustion     when many malicious requests are sent. An attacker can easily flood the peer address and port for     requests. Version 0.46.0 contains a fix for this issue. As a workaround to stop being affected, a view     removing the attributes can be used. The other possibility is to disable grpc metrics instrumentation by     passing `otelgrpc.WithMeterProvider` option with `noop.NewMeterProvider`. (CVE-2023-47108)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

ID	Name	Product	Family	Severity
201738	CBL Mariner 2.0 Security Update: prometheus / opa / docker-buildx / kubernetes / cri-tools (CVE-2023-45142)	Nessus	MarinerOS Local Security Checks	high
201046	RHEL 8 / 9 : Red Hat Ceph Storage 5.3 (RHSA-2024:4118)	Nessus	Red Hat Local Security Checks	critical
194531	Fedora 40 : caddy (2024-19d093c14d)	Nessus	Fedora Local Security Checks	high
190677	Fedora 39 : caddy (2024-22b915e51a)	Nessus	Fedora Local Security Checks	high
190040	Amazon Linux 2 : cri-tools (ALAS-2024-2446)	Nessus	Amazon Linux Local Security Checks	medium
189342	Amazon Linux 2023 : amazon-cloudwatch-agent (ALAS2023-2024-498)	Nessus	Amazon Linux Local Security Checks	medium
189333	Amazon Linux 2 : amazon-cloudwatch-agent (ALAS-2024-2424)	Nessus	Amazon Linux Local Security Checks	medium

Detections

Analytics

CVE-2023-45142

high

Tenable Plugins

high

critical

high

high

medium

medium

medium