OpenTelemetry.Resources.Azure Unbounded Memory Allocation Vulnerability in Azure VM Metadata Requestor

A denial-of-service vulnerability has been identified in OpenTelemetry.Resources.Azure, specifically in versions through 1.15.0-beta.1. The issue arises in the AzureVmMetaDataRequestor class, which makes HTTP requests to the Azure VM instance metadata service without limiting the size of the response. This flaw allows an attacker controlling the endpoint or intercepting the traffic to cause excessive memory allocation, leading to high memory pressure, garbage collection delays, or an OutOfMemoryException that crashes the process.

Impact

Exploitation of this vulnerability causes unbounded memory allocation, creating high transient memory pressure that can lead to garbage collection stalls or an OutOfMemoryException, terminating the process.

Remediation

The vulnerability is fixed in OpenTelemetry.Resources.Azure version 1.15.1-beta.1, which streams HTTP responses instead of buffering them entirely in memory and ignores responses larger than 4 MiB. As a workaround, the Azure VM resource detector can be disabled, or network-level controls such as firewall rules, mTLS, or a service mesh can be used to prevent man-in-the-middle attacks on the Azure VM instance metadata endpoint.