CVE-2023-47108
Public on 2023-11-10
Modified on 2024-08-16
Description
Prior to version 0.46.0, the grpc Unary Server Interceptor out of the box adds labels `net.peer.sock.addr` and `net.peer.sock.port` that have unbound cardinality. It leads to the server's potential memory exhaustion when many malicious requests are sent.
The docker and containerd packages on Amazon Linux are not affected by CVE-2023-47108. Some static analysis tools report that CVE-2023-47108 affects containerd and docker. This is based on both packages being statically compiled with the otelgrpc Go module referenced by CVE-2023-47108. Neither package is affected by CVE-2023-47108 because taking advantage of the affected code requires administrator privileges in both cases.
Docker uses the otelgrpc module for OpenTelemetry tracing through BuildKit. Accessing the endpoint requires administrator privileges to use the Docker Engine remote API. Similarly, the containerd’s gRPC endpoint is only exposed through a local Unix socket and also requires administrator access.
The docker and containerd packages on Amazon Linux are not affected by CVE-2023-47108. Some static analysis tools report that CVE-2023-47108 affects containerd and docker. This is based on both packages being statically compiled with the otelgrpc Go module referenced by CVE-2023-47108. Neither package is affected by CVE-2023-47108 because taking advantage of the affected code requires administrator privileges in both cases.
Docker uses the otelgrpc module for OpenTelemetry tracing through BuildKit. Accessing the endpoint requires administrator privileges to use the Docker Engine remote API. Similarly, the containerd’s gRPC endpoint is only exposed through a local Unix socket and also requires administrator access.
Severity
Important
CVSS v3 Base Score
See breakdown
Affected Packages
| Platform | Package | Release Date | Advisory | Status |
|---|---|---|---|---|
| Amazon Linux 2 - Core | amazon-cloudwatch-agent | 2024-01-19 | ALAS2-2024-2424 | Fixed |
| Amazon Linux 2023 | amazon-cloudwatch-agent | 2024-01-19 | ALAS2023-2024-498 | Fixed |
| Amazon Linux 2 - Aws-nitro-enclaves-cli Extra | containerd | Not Affected | ||
| Amazon Linux 2 - Docker Extra | containerd | Not Affected | ||
| Amazon Linux 2 - Ecs Extra | containerd | Not Affected | ||
| Amazon Linux 2023 | containerd | Not Affected | ||
| Amazon Linux 2 - Aws-nitro-enclaves-cli Extra | docker | Not Affected | ||
| Amazon Linux 2 - Docker Extra | docker | Not Affected | ||
| Amazon Linux 2 - Ecs Extra | docker | Not Affected | ||
| Amazon Linux 2023 | docker | Not Affected |
CVSS Scores
| Score Type | Score | Vector | |
|---|---|---|---|
| Amazon Linux | CVSSv3 | 7.5 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
| NVD | CVSSv3 | 7.5 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |