OpenTelemetry-Go Contrib is a collection of third-party packages for OpenTelemetry-Go. A handler wrapper out of the box adds labels `http.user_agent` and `http.method` that have unbound cardinality. It leads to the server's potential memory exhaustion when many malicious requests are sent to it. HTTP header User-Agent or HTTP method for requests can be easily set by an attacker to be random and long. The library internally uses `httpconv.ServerRequest` that records every value for HTTP `method` and `User-Agent`. In order to be affected, a program has to use the `otelhttp.NewHandler` wrapper and not filter any unknown HTTP methods or User agents on the level of CDN, LB, previous middleware, etc. Version 0.44.0 fixed this issue when the values collected for attribute `http.request.method` were changed to be restricted to a set of well-known values and other high cardinality attributes were removed. As a workaround to stop being affected, `otelhttp.WithFilter()` can be used, but it requires manual careful configuration to not log certain requests entirely. For convenience and safe usage of this library, it should by default mark with the label `unknown` non-standard HTTP methods and User agents to show that such requests were made but do not increase cardinality. In case someone wants to stay with the current behavior, library API should allow to enable it.

The remote SUSE Linux SLES15 / openSUSE 15 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2024:3288-1 advisory.

    - Require Go > 1.20 for building

    - Bump go-retryablehttp to version 0.7.7       (CVE-2024-6104, bsc#1227038)
    - Migrate from `disabled` to `manual` service mode
    - Add0003-Bump-go-retryablehttp.patch
    - Update to 2.45.6 (jsc#PED-3577):
      * Security fixes in dependencies
    - Update to 2.45.5:
      * [BUGFIX] tsdb/agent: ensure that new series get written to WAL         on rollback.
      * [BUGFIX] Remote write: Avoid a race condition when applying         configuration.
    - Update to 2.45.4:
      * [BUGFIX] Remote read: Release querier resources before encoding         the results.
    - Update to 2.45.3:
      * Security fixes in dependencies
      * [BUGFIX] TSDB: Remove double memory snapshot on shutdown.
    - Update to 2.45.2:
      * Security fixes in dependencies
      * [SECURITY] Updated otelhttp to version 0.46.1         (CVE-2023-45142, bsc#1228556)
      * [BUGFIX] TSDB: Fix PostingsForMatchers race with creating new         series.
    - Update to 2.45.1:
      * [ENHANCEMENT] Hetzner SD: Support larger ID's that will be used         by Hetzner in September.
      * [BUGFIX] Linode SD: Cast InstanceSpec values to int64 to avoid         overflows on 386 architecture.
      * [BUGFIX] TSDB: Handle TOC parsing failures.

    - update to 2.45.0 (jsc#PED-5406):
      * [FEATURE] API: New limit parameter to limit the number of items         returned by `/api/v1/status/tsdb` endpoint.
      * [FEATURE] Config: Add limits to global config.
      * [FEATURE] Consul SD: Added support for `path_prefix`.
      * [FEATURE] Native histograms: Add option to scrape both classic         and native histograms.
      * [FEATURE] Native histograms: Added support for two more         arithmetic operators `avg_over_time` and `sum_over_time`.
      * [FEATURE] Promtool: When providing the block id, only one block         will be loaded and analyzed.
      * [FEATURE] Remote-write: New Azure ad configuration to support         remote writing directly to Azure Monitor workspace.
      * [FEATURE] TSDB: Samples per chunk are now configurable with         flag `storage.tsdb.samples-per-chunk`. By default set to its         former value 120.
      * [ENHANCEMENT] Native histograms: bucket size can now be limited         to avoid scrape fails.
      * [ENHANCEMENT] TSDB: Dropped series are now deleted from the WAL         sooner.
      * [BUGFIX] Native histograms: ChunkSeries iterator now checks if         a new sample can be appended to the open chunk.
      * [BUGFIX] Native histograms: Fix Histogram Appender         `Appendable()` segfault.
      * [BUGFIX] Native histograms: Fix setting reset header to gauge         histograms in seriesToChunkEncoder.
      * [BUGFIX] TSDB: Tombstone intervals are not modified after Get()         call.
      * [BUGFIX] TSDB: Use path/filepath to set the WAL directory.
    - update to 2.44.0:
      * [FEATURE] Remote-read: Handle native histograms.
      * [FEATURE] Promtool: Health and readiness check of prometheus         server in CLI.
      * [FEATURE] PromQL: Add `query_samples_total` metric, the total         number of samples loaded by all queries.
      * [ENHANCEMENT] Storage: Optimise buffer used to iterate through         samples.
      * [ENHANCEMENT] Scrape: Reduce memory allocations on target         labels.
      * [ENHANCEMENT] PromQL: Use faster heap method for `topk()` /         `bottomk()`.
      * [ENHANCEMENT] Rules API: Allow filtering by rule name.
      * [ENHANCEMENT] Native Histograms: Various fixes and         improvements.
      * [ENHANCEMENT] UI: Search of scraping pools is now         case-insensitive.
      * [ENHANCEMENT] TSDB: Add an affirmative log message for         successful WAL repair.
      * [BUGFIX] TSDB: Block compaction failed when shutting down.
      * [BUGFIX] TSDB: Out-of-order chunks could be ignored if the         write-behind log was deleted.
    - rebase patch 0001-Do-not-force-the-pure-Go-name-resolver.patch       onto v2.44.0
    - update to 2.43.1
      * [BUGFIX] Labels: Set() after Del() would be ignored, which         broke some relabeling rules.
    - update to 2.43.0:
      * [FEATURE] Promtool: Add HTTP client configuration to query         commands.
      * [FEATURE] Scrape: Add `include_scrape_configs` to include         scrape configs from different files.
      * [FEATURE] HTTP client: Add `no_proxy` to exclude URLs from         proxied requests.
      * [FEATURE] HTTP client: Add `proxy_from_enviroment` to read         proxies from env variables.
      * [ENHANCEMENT] API: Add support for setting lookback delta per         query via the API.
      * [ENHANCEMENT] API: Change HTTP status code from 503/422 to 499         if a request is canceled.
      * [ENHANCEMENT] Scrape: Allow exemplars for all metric types.
      * [ENHANCEMENT] TSDB: Add metrics for head chunks and WAL folders         size.
      * [ENHANCEMENT] TSDB: Automatically remove incorrect snapshot         with index that is ahead of WAL.
      * [ENHANCEMENT] TSDB: Improve Prometheus parser error outputs to         be more comprehensible.
      * [ENHANCEMENT] UI: Scope `group by` labels to metric in         autocompletion.
      * [BUGFIX] Scrape: Fix         `prometheus_target_scrape_pool_target_limit` metric not set         before reloading.
      * [BUGFIX] TSDB: Correctly update         `prometheus_tsdb_head_chunks_removed_total` and         `prometheus_tsdb_head_chunks` metrics when reading WAL.
      * [BUGFIX] TSDB: Use the correct unit (seconds) when recording         out-of-order append deltas in the         `prometheus_tsdb_sample_ooo_delta` metric.
    - update to 2.42.0:
      This release comes with a bunch of feature coverage for native       histograms and breaking changes.
      If you are trying native histograms already, we recommend you       remove the `wal` directory when upgrading.
      Because the old WAL record for native histograms is not       backward compatible in v2.42.0, this will lead to some data       loss for the latest data.
      Additionally, if you scrape 'float histograms' or use recording       rules on native histograms in v2.42.0 (which writes float       histograms), it is a one-way street since older versions do not       support float histograms.
      * [CHANGE] **breaking** TSDB: Changed WAL record format for the         experimental native histograms.
      * [FEATURE] Add 'keep_firing_for' field to alerting rules.
      * [FEATURE] Promtool: Add support of selecting timeseries for         TSDB dump.
      * [ENHANCEMENT] Agent: Native histogram support.
      * [ENHANCEMENT] Rules: Support native histograms in recording         rules.
      * [ENHANCEMENT] SD: Add container ID as a meta label for pod         targets for Kubernetes.
      * [ENHANCEMENT] SD: Add VM size label to azure service         discovery.
      * [ENHANCEMENT] Support native histograms in federation.
      * [ENHANCEMENT] TSDB: Add gauge histogram support.
      * [ENHANCEMENT] TSDB/Scrape: Support FloatHistogram that         represents buckets as float64 values.
      * [ENHANCEMENT] UI: Show individual scrape pools on /targets         page.
    - update to 2.41.0:
      * [FEATURE] Relabeling: Add keepequal and dropequal relabel         actions.
      * [FEATURE] Add support for HTTP proxy headers.
      * [ENHANCEMENT] Reload private certificates when changed on disk.
      * [ENHANCEMENT] Add max_version to specify maximum TLS version in         tls_config.
      * [ENHANCEMENT] Add goos and goarch labels to         prometheus_build_info.
      * [ENHANCEMENT] SD: Add proxy support for EC2 and LightSail SDs.
      * [ENHANCEMENT] SD: Add new metric         prometheus_sd_file_watcher_errors_total.
      * [ENHANCEMENT] Remote Read: Use a pool to speed up marshalling.
      * [ENHANCEMENT] TSDB: Improve handling of tombstoned chunks in         iterators.
      * [ENHANCEMENT] TSDB: Optimize postings offset table reading.
      * [BUGFIX] Scrape: Validate the metric name, label names, and         label values after relabeling.
      * [BUGFIX] Remote Write receiver and rule manager: Fix error         handling.
    - update to 2.40.7:
      * [BUGFIX] TSDB: Fix queries involving negative buckets of native         histograms.
    - update to 2.40.5:
      * [BUGFIX] TSDB: Fix queries involving native histograms due to         improper reset of iterators.
    - update to 2.40.3:
      * [BUGFIX] TSDB: Fix compaction after a deletion is called.
    - update to 2.40.2:
      * [BUGFIX] UI: Fix black-on-black metric name color in dark mode.
    - update to 2.40.1:
      * [BUGFIX] TSDB: Fix alignment for atomic int64 for 32 bit         architecture.
      * [BUGFIX] Scrape: Fix accept headers.
    - update to 2.40.0:
      * [FEATURE] Add experimental support for native histograms.
        Enable with the flag --enable-feature=native-histograms.
      * [FEATURE] SD: Add service discovery for OVHcloud.
      * [ENHANCEMENT] Kubernetes SD: Use protobuf encoding.
      * [ENHANCEMENT] TSDB: Use golang.org/x/exp/slices for improved         sorting speed.
      * [ENHANCEMENT] Consul SD: Add enterprise admin partitions. Adds
        __meta_consul_partition label. Adds partition config in         consul_sd_config.
      * [BUGFIX] API: Fix API error codes for /api/v1/labels and         /api/v1/series.
    - update to 2.39.1:
      * [BUGFIX] Rules: Fix notifier relabel changing the labels on         active alerts.
    - update to 2.39.0:
      * [FEATURE] experimental TSDB: Add support for ingesting         out-of-order samples. This is configured via         out_of_order_time_window field in the config file; check config         file docs for more info.
      * [ENHANCEMENT] API: /-/healthy and /-/ready API calls now also         respond to a HEAD request on top of existing GET support.
      * [ENHANCEMENT] PuppetDB SD: Add __meta_puppetdb_query label.
      * [ENHANCEMENT] AWS EC2 SD: Add __meta_ec2_region label.
      * [ENHANCEMENT] AWS Lightsail SD: Add __meta_lightsail_region         label.
      * [ENHANCEMENT] Scrape: Optimise relabeling by re-using memory.
      * [ENHANCEMENT] TSDB: Improve WAL replay timings.
      * [ENHANCEMENT] TSDB: Optimise memory by not storing unnecessary         data in the memory.
      * [ENHANCEMENT] TSDB: Allow overlapping blocks by default.
        --storage.tsdb.allow-overlapping-blocks now has no effect.
      * [ENHANCEMENT] UI: Click to copy label-value pair from query         result to clipboard.
      * [BUGFIX] TSDB: Turn off isolation for Head compaction to fix a         memory leak.
      * [BUGFIX] TSDB: Fix 'invalid magic number 0' error on Prometheus         startup.
      * [BUGFIX] PromQL: Properly close file descriptor when logging         unfinished queries.
      * [BUGFIX] Agent: Fix validation of flag options and prevent WAL         from growing more than desired.
    - update to 2.38.0:
      * [FEATURE]: Web: Add a /api/v1/format_query HTTP API endpoint         that allows pretty-formatting PromQL expressions.
      * [FEATURE]: UI: Add support for formatting PromQL expressions in         the UI.
      * [FEATURE]: DNS SD: Support MX records for discovering targets.
      * [FEATURE]: Templates: Add toTime() template function that         allows converting sample timestamps to Go time.Time values.
      * [ENHANCEMENT]: Kubernetes SD: Add
        __meta_kubernetes_service_port_number meta label indicating the         service port number.
      * [ENHANCEMENT]: Kubernetes SD: Add
        __meta_kubernetes_pod_container_image meta label indicating the         container image.
      * [ENHANCEMENT]: PromQL: When a query panics, also log the query         itself alongside the panic message.
      * [ENHANCEMENT]: UI: Tweak colors in the dark theme to improve         the contrast ratio.
      * [ENHANCEMENT]: Web: Speed up calls to /api/v1/rules by avoiding         locks and using atomic types instead.
      * [ENHANCEMENT]: Scrape: Add a no-default-scrape-port feature         flag, which omits or removes any default HTTP (:80) or HTTPS         (:443) ports in the target's scrape address.
      * [BUGFIX]: TSDB: In the WAL watcher metrics, expose the         type='exemplar' label instead of type='unknown' for exemplar         records.
      * [BUGFIX]: TSDB: Fix race condition around allocating series IDs         during chunk snapshot loading.

    - Remove npm_licenses.tar.bz2 during 'make clean'

    - Remove web-ui archives during 'make clean'.

      * [SECURITY] CVE-2022-41715: Limit memory used by parsing regexps         (bsc#1204023).
    - Fix uncontrolled resource consumption by updating Go to version       1.20.1 (CVE-2022-41723, bsc#1208298)

Tenable has extracted the preceding description block directly from the SUSE security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote openSUSE 15 host has a package installed that is affected by multiple vulnerabilities as referenced in the SUSE-SU-2024:3267-1 advisory.

    golang-github-prometheus-prometheus:

    - Security issues fixed:

      * CVE-2024-6104: Update go-retryablehttp to version 0.7.7 (bsc#1227038)
      * CVE-2023-45142: Updated otelhttp to version 0.46.1 (bsc#1228556)

    - Require Go > 1.20 for building
    - Migrate from `disabled` to `manual` service mode
    - Update to 2.45.6 (jsc#PED-3577):
      * Security fixes in dependencies
    - Update to 2.45.5:
      * [BUGFIX] tsdb/agent: ensure that new series get written to WAL         on rollback.
      * [BUGFIX] Remote write: Avoid a race condition when applying         configuration.
    - Update to 2.45.4:
      * [BUGFIX] Remote read: Release querier resources before encoding         the results.
    - Update to 2.45.3:
      * [BUGFIX] TSDB: Remove double memory snapshot on shutdown.
    - Update to 2.45.2:
      * [BUGFIX] TSDB: Fix PostingsForMatchers race with creating new         series.
    - Update to 2.45.1:
      * [ENHANCEMENT] Hetzner SD: Support larger ID's that will be used         by Hetzner in September.
      * [BUGFIX] Linode SD: Cast InstanceSpec values to int64 to avoid         overflows on 386 architecture.
      * [BUGFIX] TSDB: Handle TOC parsing failures.

    rhnlib:

    - Version 5.0.4-0
      * Add the old TLS code for very old traditional clients still on         python 2.7 (bsc#1228198)

    spacecmd:

    - Version 5.0.9-0
      * Update translation strings

    uyuni-tools:

    - Version 0.1.21-0
      * mgrpxy: Fix typo on Systemd template
    - Version 0.1.20-0
      * Update the push tag to 5.0.1
      * mgrpxy: expose port on IPv6 network (bsc#1227951)
    - Version 0.1.19-0
      * Skip updating Tomcat remote debug if conf file is not present
    - Version 0.1.18-0
      * Setup Confidential Computing container during migration         (bsc#1227588)
      * Add the /etc/uyuni/uyuni-tools.yaml path to the config help
      * Split systemd config files to not loose configuration at upgrade         (bsc#1227718)
      * Use the same logic for image computation in mgradm and mgrpxy         (bsc#1228026)
      * Allow building with different Helm and container default         registry paths (bsc#1226191)
      * Fix recursion in mgradm upgrade podman list --help
      * Setup hub xmlrpc API service in migration to Podman (bsc#1227588)
      * Setup disabled hub xmlrpc API service in all cases (bsc#1227584)
      * Clean the inspection code to make it faster
      * Properly detect IPv6 enabled on Podman network (bsc#1224349)
      * Fix the log file path generation
      * Write scripts output to uyuni-tools.log file
      * Add uyuni-hubxml-rpc to the list of values in         mgradm scale --help
      * Use path in mgradm support sql file input (bsc#1227505)
      * On Ubuntu build with go1.21 instead of go1.20
      * Enforce Cobbler setup (bsc#1226847)
      * Expose port on IPv6 network (bsc#1227951)
      * show output of podman image search --list-tags command
      * Implement mgrpxy support config command
      * During migration, ignore /etc/sysconfig/tomcat and         /etc/tomcat/tomcat.conf (bsc#1228183)
      * During migration, remove java.annotation,com.sun.xml.bind and         UseConcMarkSweepGC settings
      * Disable node exporter port for Kubernetes
      * Fix start, stop and restart in Kubernetes
      * Increase start timeout in Kubernetes
      * Fix traefik query
      * Fix password entry usability (bsc#1226437)
      * Add --prepare option to migrate command
      * Fix random error during installation of CA certificate         (bsc#1227245)
      * Clarify and fix distro name guessing when not provided         (bsc#1226284)
      * Replace not working Fatal error by plain error return         (bsc#1220136)
      * Allow server installation with preexisting storage volumes
      * Do not report error when purging mounted volume (bsc#1225349)
      * Preserve PAGER settings from the host for interactive sql         usage (bsc#1226914)
      * Add mgrpxy command to clear the Squid cache
      * Use local images for Confidential Computing and         Hub containers (bsc#1227586)
    - Version 0.1.17-0
      * Allow GPG files to be loaded from the local file (bsc#1227195)
    - Version 0.1.16-0
      * Prefer local images in all migration steps (bsc#1227244)
    - Version 0.1.15-0
      * Define --registry flag behaviour (bsc#1226793)
    - Version 0.1.14-0
      * Do not rely on hardcoded registry, remove any FQDN
    - Version 0.1.13-0
      * Fix mgradm support config tarball creation (bsc#1226759)
    - Version 0.1.12-0
      * Detection of k8s on Proxy was wrongly influenced by Server         setting

Tenable has extracted the preceding description block directly from the SUSE security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote SUSE Linux SLES15 / SLES_SAP15 / openSUSE 15 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2024:3221-1 advisory.

    - Update to containerd v1.7.21
    - CVE-2023-47108: Fixed DoS vulnerability in otelgrpc (uncontrolled resource consumption) due to unbound     cardinality metrics. (bsc#1217070)
    - CVE-2023-45142: Fixed DoS vulnerability in otelhttp. (bsc#1228553)

Tenable has extracted the preceding description block directly from the SUSE security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote SUSE Linux SLES12 / SLES_SAP12 host has a package installed that is affected by multiple vulnerabilities as referenced in the SUSE-SU-2024:3188-1 advisory.

    - Update to containerd v1.7.21
    - CVE-2023-47108: Fixed DoS vulnerability in otelgrpc (uncontrolled resource consumption) due to unbound     cardinality metrics. (bsc#1217070)
    - CVE-2023-45142: Fixed DoS vulnerability in otelhttp. (bsc#1228553)

Tenable has extracted the preceding description block directly from the SUSE security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The version of kube-vip-cloud-provider / cert-manager / opa / docker-buildx / kubernetes / cri-tools installed on the remote CBL Mariner 2.0 host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the CVE-2023-45142 advisory.

  - OpenTelemetry-Go Contrib is a collection of third-party packages for OpenTelemetry-Go. A handler wrapper     out of the box adds labels `http.user_agent` and `http.method` that have unbound cardinality. It leads to     the server's potential memory exhaustion when many malicious requests are sent to it. HTTP header User-     Agent or HTTP method for requests can be easily set by an attacker to be random and long. The library     internally uses `httpconv.ServerRequest` that records every value for HTTP `method` and `User-Agent`. In     order to be affected, a program has to use the `otelhttp.NewHandler` wrapper and not filter any unknown     HTTP methods or User agents on the level of CDN, LB, previous middleware, etc. Version 0.44.0 fixed this     issue when the values collected for attribute `http.request.method` were changed to be restricted to a set     of well-known values and other high cardinality attributes were removed. As a workaround to stop being     affected, `otelhttp.WithFilter()` can be used, but it requires manual careful configuration to not log     certain requests entirely. For convenience and safe usage of this library, it should by default mark with     the label `unknown` non-standard HTTP methods and User agents to show that such requests were made but do     not increase cardinality. In case someone wants to stay with the current behavior, library API should     allow to enable it. (CVE-2023-45142)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 8 / 9 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2024:4118 advisory.

    Red Hat Ceph Storage is a scalable, open, software-defined storage platform that combines the most stable     version of the Ceph storage system with a Ceph management platform, deployment utilities, and support     services.

    Security Fix(es):
    * CVE-2023-39325 golang: net/http, x/net/http2: rapid stream resets can cause excessive work     (CVE-2023-44487)
    *  grafana-container: go-git: Maliciously crafted Git server replies can lead to path traversal and RCE on     go-git clients (CVE-2023-49569)
    * opentelemetry: DoS vulnerability in otelhttp (CVE-2023-45142)

    These new packages include numerous security updates, enhancements, and bug fixes. Space precludes     documenting all of these changes in this advisory. Users are directed to the Red Hat Ceph Storage Release     Notes for information on the most significant of these changes:

    https://access.redhat.com/documentation/en-us/red_hat_ceph_storage/5.3/html/release_notes/index

Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Fedora 40 host has a package installed that is affected by a vulnerability as referenced in the FEDORA-2024-19d093c14d advisory.

    Automatic update for caddy-2.7.6-1.fc40.

    ##### **Changelog**

    ```
    * Fri Feb  9 2024 Carl George <carlwgeorge@fedoraproject.org> - 2.7.6-1
    - Update to version 2.7.6 rhbz#2253698
    - Includes fix for CVE-2023-45142 rhbz#2246587

    ```

Tenable has extracted the preceding description block directly from the Fedora security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Fedora 39 host has a package installed that is affected by a vulnerability as referenced in the FEDORA-2024-22b915e51a advisory.

    Update to the latest upstream version, which includes a fix for CVE-2023-45142.

    https://github.com/caddyserver/caddy/releases/tag/v2.7.6

Tenable has extracted the preceding description block directly from the Fedora security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The version of cri-tools installed on the remote host is prior to 1.29.0-1. It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2-2024-2446 advisory.

  - A malicious HTTP sender can use chunk extensions to cause a receiver reading from a request or response     body to read many more bytes from the network than are in the body. A malicious HTTP client can further     exploit this to cause a server to automatically read a large amount of data (up to about 1GiB) when a     handler fails to read the entire body of a request. Chunk extensions are a little-used HTTP feature which     permit including additional metadata in a request or response body sent using the chunked encoding. The     net/http chunked encoding reader discards this metadata. A sender can exploit this by inserting a large     metadata segment with each byte transferred. The chunk reader now produces an error if the ratio of real     body to encoded bytes grows too small. (CVE-2023-39326)

  - Text nodes not in the HTML namespace are incorrectly literally rendered, causing text which should be     escaped to not be. This could lead to an XSS attack. (CVE-2023-3978)

  - OpenTelemetry-Go Contrib is a collection of third-party packages for OpenTelemetry-Go. A handler wrapper     out of the box adds labels `http.user_agent` and `http.method` that have unbound cardinality. It leads to     the server's potential memory exhaustion when many malicious requests are sent to it. HTTP header User-     Agent or HTTP method for requests can be easily set by an attacker to be random and long. The library     internally uses `httpconv.ServerRequest` that records every value for HTTP `method` and `User-Agent`. In     order to be affected, a program has to use the `otelhttp.NewHandler` wrapper and not filter any unknown     HTTP methods or User agents on the level of CDN, LB, previous middleware, etc. Version 0.44.0 fixed this     issue when the values collected for attribute `http.request.method` were changed to be restricted to a set     of well-known values and other high cardinality attributes were removed. As a workaround to stop being     affected, `otelhttp.WithFilter()` can be used, but it requires manual careful configuration to not log     certain requests entirely. For convenience and safe usage of this library, it should by default mark with     the label `unknown` non-standard HTTP methods and User agents to show that such requests were made but do     not increase cardinality. In case someone wants to stay with the current behavior, library API should     allow to enable it. (CVE-2023-45142)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2023-2024-498 advisory.

  - A malicious HTTP/2 client which rapidly creates requests and immediately resets them can cause excessive     server resource consumption. While the total number of requests is bounded by the     http2.Server.MaxConcurrentStreams setting, resetting an in-progress request allows the attacker to create     a new request while the existing one is still executing. With the fix applied, HTTP/2 servers now bound     the number of simultaneously executing handler goroutines to the stream concurrency limit     (MaxConcurrentStreams). New requests arriving when at the limit (which can only happen after the client     has reset an existing, in-flight request) will be queued until a handler exits. If the request queue grows     too large, the server will terminate the connection. This issue is also fixed in golang.org/x/net/http2     for users manually configuring HTTP/2. The default stream concurrency limit is 250 streams (requests) per     HTTP/2 connection. This value may be adjusted using the golang.org/x/net/http2 package; see the     Server.MaxConcurrentStreams setting and the ConfigureServer function. (CVE-2023-39325)

  - A malicious HTTP sender can use chunk extensions to cause a receiver reading from a request or response     body to read many more bytes from the network than are in the body. A malicious HTTP client can further     exploit this to cause a server to automatically read a large amount of data (up to about 1GiB) when a     handler fails to read the entire body of a request. Chunk extensions are a little-used HTTP feature which     permit including additional metadata in a request or response body sent using the chunked encoding. The     net/http chunked encoding reader discards this metadata. A sender can exploit this by inserting a large     metadata segment with each byte transferred. The chunk reader now produces an error if the ratio of real     body to encoded bytes grows too small. (CVE-2023-39326)

  - OpenTelemetry-Go Contrib is a collection of third-party packages for OpenTelemetry-Go. A handler wrapper     out of the box adds labels `http.user_agent` and `http.method` that have unbound cardinality. It leads to     the server's potential memory exhaustion when many malicious requests are sent to it. HTTP header User-     Agent or HTTP method for requests can be easily set by an attacker to be random and long. The library     internally uses `httpconv.ServerRequest` that records every value for HTTP `method` and `User-Agent`. In     order to be affected, a program has to use the `otelhttp.NewHandler` wrapper and not filter any unknown     HTTP methods or User agents on the level of CDN, LB, previous middleware, etc. Version 0.44.0 fixed this     issue when the values collected for attribute `http.request.method` were changed to be restricted to a set     of well-known values and other high cardinality attributes were removed. As a workaround to stop being     affected, `otelhttp.WithFilter()` can be used, but it requires manual careful configuration to not log     certain requests entirely. For convenience and safe usage of this library, it should by default mark with     the label `unknown` non-standard HTTP methods and User agents to show that such requests were made but do     not increase cardinality. In case someone wants to stay with the current behavior, library API should     allow to enable it. (CVE-2023-45142)

  - OpenTelemetry-Go Contrib is a collection of third-party packages for OpenTelemetry-Go. Prior to version     0.46.0, the grpc Unary Server Interceptor out of the box adds labels `net.peer.sock.addr` and     `net.peer.sock.port` that have unbound cardinality. It leads to the server's potential memory exhaustion     when many malicious requests are sent. An attacker can easily flood the peer address and port for     requests. Version 0.46.0 contains a fix for this issue. As a workaround to stop being affected, a view     removing the attributes can be used. The other possibility is to disable grpc metrics instrumentation by     passing `otelgrpc.WithMeterProvider` option with `noop.NewMeterProvider`. (CVE-2023-47108)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The version of amazon-cloudwatch-agent installed on the remote host is prior to 1.300032.3-1. It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2-2024-2424 advisory.

  - A malicious HTTP/2 client which rapidly creates requests and immediately resets them can cause excessive     server resource consumption. While the total number of requests is bounded by the     http2.Server.MaxConcurrentStreams setting, resetting an in-progress request allows the attacker to create     a new request while the existing one is still executing. With the fix applied, HTTP/2 servers now bound     the number of simultaneously executing handler goroutines to the stream concurrency limit     (MaxConcurrentStreams). New requests arriving when at the limit (which can only happen after the client     has reset an existing, in-flight request) will be queued until a handler exits. If the request queue grows     too large, the server will terminate the connection. This issue is also fixed in golang.org/x/net/http2     for users manually configuring HTTP/2. The default stream concurrency limit is 250 streams (requests) per     HTTP/2 connection. This value may be adjusted using the golang.org/x/net/http2 package; see the     Server.MaxConcurrentStreams setting and the ConfigureServer function. (CVE-2023-39325)

  - A malicious HTTP sender can use chunk extensions to cause a receiver reading from a request or response     body to read many more bytes from the network than are in the body. A malicious HTTP client can further     exploit this to cause a server to automatically read a large amount of data (up to about 1GiB) when a     handler fails to read the entire body of a request. Chunk extensions are a little-used HTTP feature which     permit including additional metadata in a request or response body sent using the chunked encoding. The     net/http chunked encoding reader discards this metadata. A sender can exploit this by inserting a large     metadata segment with each byte transferred. The chunk reader now produces an error if the ratio of real     body to encoded bytes grows too small. (CVE-2023-39326)

  - OpenTelemetry-Go Contrib is a collection of third-party packages for OpenTelemetry-Go. A handler wrapper     out of the box adds labels `http.user_agent` and `http.method` that have unbound cardinality. It leads to     the server's potential memory exhaustion when many malicious requests are sent to it. HTTP header User-     Agent or HTTP method for requests can be easily set by an attacker to be random and long. The library     internally uses `httpconv.ServerRequest` that records every value for HTTP `method` and `User-Agent`. In     order to be affected, a program has to use the `otelhttp.NewHandler` wrapper and not filter any unknown     HTTP methods or User agents on the level of CDN, LB, previous middleware, etc. Version 0.44.0 fixed this     issue when the values collected for attribute `http.request.method` were changed to be restricted to a set     of well-known values and other high cardinality attributes were removed. As a workaround to stop being     affected, `otelhttp.WithFilter()` can be used, but it requires manual careful configuration to not log     certain requests entirely. For convenience and safe usage of this library, it should by default mark with     the label `unknown` non-standard HTTP methods and User agents to show that such requests were made but do     not increase cardinality. In case someone wants to stay with the current behavior, library API should     allow to enable it. (CVE-2023-45142)

  - OpenTelemetry-Go Contrib is a collection of third-party packages for OpenTelemetry-Go. Prior to version     0.46.0, the grpc Unary Server Interceptor out of the box adds labels `net.peer.sock.addr` and     `net.peer.sock.port` that have unbound cardinality. It leads to the server's potential memory exhaustion     when many malicious requests are sent. An attacker can easily flood the peer address and port for     requests. Version 0.46.0 contains a fix for this issue. As a workaround to stop being affected, a view     removing the attributes can be used. The other possibility is to disable grpc metrics instrumentation by     passing `otelgrpc.WithMeterProvider` option with `noop.NewMeterProvider`. (CVE-2023-47108)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

ID	Name	Product	Family	Severity
207376	SUSE SLES15 / openSUSE 15 Security Update : golang-github-prometheus-prometheus (SUSE-SU-2024:3288-1)	Nessus	SuSE Local Security Checks	medium
207375	openSUSE 15 Security Update : SUSE Manager Client Tools (SUSE-SU-2024:3267-1)	Nessus	SuSE Local Security Checks	medium
207218	SUSE SLES15 / openSUSE 15 Security Update : containerd (SUSE-SU-2024:3221-1)	Nessus	SuSE Local Security Checks	critical
206967	SUSE SLES12 Security Update : containerd (SUSE-SU-2024:3188-1)	Nessus	SuSE Local Security Checks	high
203015	openSUSE 15 Security Update : caddy (openSUSE-SU-2024:0211-1)	Nessus	SuSE Local Security Checks	high
201738	CBL Mariner 2.0 Security Update: kube-vip-cloud-provider / cert-manager / opa / docker-buildx / kubernetes / cri-tools (CVE-2023-45142)	Nessus	MarinerOS Local Security Checks	high
201046	RHEL 8 / 9 : Red Hat Ceph Storage 5.3 (RHSA-2024:4118)	Nessus	Red Hat Local Security Checks	critical
194531	Fedora 40 : caddy (2024-19d093c14d)	Nessus	Fedora Local Security Checks	high
190677	Fedora 39 : caddy (2024-22b915e51a)	Nessus	Fedora Local Security Checks	high
190040	Amazon Linux 2 : cri-tools (ALAS-2024-2446)	Nessus	Amazon Linux Local Security Checks	medium
189342	Amazon Linux 2023 : amazon-cloudwatch-agent (ALAS2023-2024-498)	Nessus	Amazon Linux Local Security Checks	medium
189333	Amazon Linux 2 : amazon-cloudwatch-agent (ALAS-2024-2424)	Nessus	Amazon Linux Local Security Checks	medium

Detections

Analytics

CVE-2023-45142

high

Tenable Plugins

medium

medium

critical

high

high

high

critical

high

high

medium

medium

medium