CVE-2023-45142 (opentelemetry-go-contrib)

[antoninbas]

This issue is informational only, and does not require any action from the Antrea Community. Antrea is not affected by CVE-2023-45142.

This CVE was published on 10/12/2023: https://nvd.nist.gov/vuln/detail/CVE-2023-45142
CVE scanners are reporting this vulnerability in all supported Antrea versions, including Antrea v1.13. The vulnerability is detected in Antrea Go binaries.

usr/local/bin/antrea-agent (gobinary)
=====================================
Total: 1 (HIGH: 1, CRITICAL: 0)

┌──────────────────────────────────────────────────────────────┬────────────────┬──────────┬────────┬───────────────────┬───────────────┬─────────────────────────────────────────────────────────────┐
│                           Library                            │ Vulnerability  │ Severity │ Status │ Installed Version │ Fixed Version │                            Title                            │
├──────────────────────────────────────────────────────────────┼────────────────┼──────────┼────────┼───────────────────┼───────────────┼─────────────────────────────────────────────────────────────┤
│ go.opentelemetry.io/contrib/instrumentation/net/http/otelht- │ CVE-2023-45142 │ HIGH     │ fixed  │ v0.35.0           │ 0.44.0        │ OpenTelemetry-Go Contrib vulnerable to denial of service in │
│ tp                                                           │                │          │        │                   │               │ otelhttp due to unbound...                                  │
│                                                              │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2023-45142                  │
└──────────────────────────────────────────────────────────────┴────────────────┴──────────┴────────┴───────────────────┴───────────────┴─────────────────────────────────────────────────────────────┘

usr/local/bin/antrea-controller (gobinary)
==========================================
Total: 1 (HIGH: 1, CRITICAL: 0)

┌──────────────────────────────────────────────────────────────┬────────────────┬──────────┬────────┬───────────────────┬───────────────┬─────────────────────────────────────────────────────────────┐
│                           Library                            │ Vulnerability  │ Severity │ Status │ Installed Version │ Fixed Version │                            Title                            │
├──────────────────────────────────────────────────────────────┼────────────────┼──────────┼────────┼───────────────────┼───────────────┼─────────────────────────────────────────────────────────────┤
│ go.opentelemetry.io/contrib/instrumentation/net/http/otelht- │ CVE-2023-45142 │ HIGH     │ fixed  │ v0.35.0           │ 0.44.0        │ OpenTelemetry-Go Contrib vulnerable to denial of service in │
│ tp                                                           │                │          │        │                   │               │ otelhttp due to unbound...                                  │
│                                                              │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2023-45142                  │
└──────────────────────────────────────────────────────────────┴────────────────┴──────────┴────────┴───────────────────┴───────────────┴─────────────────────────────────────────────────────────────┘

What is the vulnerability?

The vulnerability affects programs that use otelhttp.NewHandler without filtering requests. An attacker can craft malicious HTTP requests with unknown HTTP methods or User agents, leading to a potential memory exhaustion. The vulnerability exists in all versions of go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp prior to v0.44.0 and no patch has been backported at the time of writing this (10/18/2023). Antrea currently uses v0.35.0.

Does it actually affect Antrea?

Antrea uses the K8s apiserver library to implement its own API server (for both the Controller and the Agent). At the moment Antrea uses version v0.26.4 of the library:

antrea/go.mod

Line 72 in 016f6b5

k8s.io/apiserver v0.26.4

The apiserver library uses the otelhttp.NewHandler as is:
https://github.com/kubernetes/apiserver/blob/d3e415393e7e3642d9e6bb2a445385fd5e0e10bd/pkg/endpoints/filters/traces.go#L37

However, this code is gated by the APIServerTracing FeatureGate: https://github.com/kubernetes/apiserver/blob/d3e415393e7e3642d9e6bb2a445385fd5e0e10bd/pkg/server/config.go#L895-L897

Note that this is an apiserver FeatureGate. It is not an Antrea FeatureGate and it is not possible to enable / disable this FeatureGate by mutating the configuration for the Antrea Agent or Controller.

In K8s v1.26, the APIServerTracing FeatureGate is Alpha, and disabled by default. This means that when we import version v0.26.4 of the apiserver module, the FeatureGate is automatically disabled, and it is not possible for users to enable it:
https://github.com/kubernetes/apiserver/blob/d3e415393e7e3642d9e6bb2a445385fd5e0e10bd/pkg/features/kube_features.go#L79

As a result, no Antrea version (including Antrea v1.11, v1.12, v1.13 and the upcoming Antrea v1.14) is affected by this CVE.

Caution required from Antrea maintainers in the future

Some caution will be required when bumping up K8s dependencies in Antrea. The APIServerTracing FeatureGate was promoted to Beta (and enabled by default) in K8s v1.27. Once the FeatureGate is enabled, the issue exists even when no tracing config is provided (OpenTelemetry runs in passthrough mode, and still collects problematic metrics). That means that when we bump up our K8s dependencies in the future, we should try ensuring that a more recent version of go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp is also used. OpenTelemetry dependencies were recently updated for K8s top-of-tree (see kubernetes/kubernetes#121111), but the current version of go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp (v0.42.0) still suffers from the vulnerability.

[antoninbas]

After more investigation, it turns out that the issue does not affect the apiserver library, even when APIServerTracing is enabled. See comment from the OpenTelemetry maintainer: kubernetes/kubernetes#121338 (comment)

This is because the apiserver does not actually use otel to track metrics. No MeterProvider is registered, so metrics are not actually tracked (which means there is no possible memory leak).

The conclusion for Antrea is the same: the issue does not affect us, even though scanners will keep reporting a vulnerability. We also don't need to worry when bumping up K8s dependencies.