OpenTelemetry .NET Excessive Memory Allocation Vulnerability Leading to Denial-of-Service
Vulnerability
A denial-of-service vulnerability has been identified in the OpenTelemetry .NET framework, specifically within the OpenTelemetry.Api package versions 0.5.0-beta.2 prior to 1.15.2 and the OpenTelemetry.Extensions.Propagators package versions 1.3.1 prior to 1.15.2. The issue arises from the Baggage, B3, and Jaeger propagation methods, which can allocate excessive memory when parsing propagation headers. This flaw could be exploited to create a potential denial-of-service condition in applications using these packages.
Impact
Excessive memory allocation can lead to performance degradation or application crashes, causing a denial-of-service condition.
Remediation
Users can update to OpenTelemetry.Api version 1.15.3 or OpenTelemetry.Extensions.Propagators version 1.15.3, both of which address this vulnerability. Additionally, for those unable to update immediately, configuring HTTP request header limits or disabling baggage and trace propagation can serve as temporary workarounds.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.