OpenTelemetry .NET Jaeger Exporter Memory Exhaustion Vulnerability Allowing Denial-of-Service
Vulnerability
A vulnerability in the OpenTelemetry .NET Jaeger exporter, present in versions through 1.6.0-rc.1, can lead to sustained memory pressure. This occurs when the internal pooled-list sizing increases based on large observed span or tag sets, and the enlarged size is reused for subsequent allocations. Under high-cardinality or attacker-influenced telemetry input, this behavior can escalate memory consumption, potentially causing a denial-of-service condition. The issue arises because the Jaeger exporter appends tag and event data into pooled list structures, which can be influenced by untrusted input, leading to process instability.
Impact
Exploitation of this vulnerability can cause process instability or a denial-of-service condition, due to unbounded memory consumption.
Remediation
Users are advised to switch to maintained exporters, such as the OpenTelemetry Protocol format (OTLP) exporter, instead of the Jaeger exporter.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.