OpenTelemetry-Go OTLP HTTP Exporters Unbounded Memory Consumption Vulnerability

A memory exhaustion vulnerability has been identified in OpenTelemetry-Go versions prior to 1.43.0. The issue arises in the OTLP HTTP exporters for traces, metrics, and logs, which read the entire HTTP response body into an in-memory buffer without any size limitation. This flaw can be exploited to cause memory exhaustion, particularly when the collector endpoint is controlled by an attacker or when a network attacker can intercept the exporter's connection. The vulnerability is mitigated in version 1.43.0.

Impact

Exploitation of this vulnerability can lead to significant memory consumption, with peak memory usage increasing based on the size of the response body chosen by an attacker. This can potentially cause the process to run out of memory and crash.

Reproduction

The vulnerability can be reproduced by sending a large HTTP response from a collector endpoint that is either attacker-controlled or can be intercepted by a network attacker. The OTLP HTTP exporter will read the response body into memory, causing increased memory usage that can lead to a process crash.

Remediation

Users can upgrade to OpenTelemetry-Go version 1.43.0 or later to address this vulnerability.