OpenTelemetry Exporter Zipkin Unbounded Cache Growth Vulnerability Leading to Increased Memory Usage
Vulnerability
A memory management vulnerability exists in the OpenTelemetry.Exporter.Zipkin package for .NET, specifically in versions through 1.15.2. The issue arises from the remote endpoint cache, which allows unbounded key growth based on span attributes. In scenarios with high cardinality, this can lead to excessive memory consumption over time, particularly when unique remote endpoint values are sustained. As a result, processes using the Zipkin exporter for client or producer spans may experience degraded performance and availability.
Impact
Exploitation of this vulnerability can cause unnecessary memory growth in processes using the Zipkin exporter, under sustained unique remote endpoint values. This increased memory usage can lead to performance degradation and availability issues.
Remediation
Users can upgrade to OpenTelemetry.Exporter.Zipkin version 1.15.3 or later, which includes a bounded, thread-safe LRU cache for remote endpoints with a fixed maximum size, preventing unbounded growth.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.