CVE-2023-47108
Public on 2023-11-10
Modified on 2024-08-16
Description
Prior to version 0.46.0, the grpc Unary Server Interceptor out of the box adds labels `net.peer.sock.addr` and `net.peer.sock.port` that have unbound cardinality. It leads to the server's potential memory exhaustion when many malicious requests are sent.
The docker and containerd packages on HAQM Linux are not affected by CVE-2023-47108. Some static analysis tools report that CVE-2023-47108 affects containerd and docker. This is based on both packages being statically compiled with the otelgrpc Go module referenced by CVE-2023-47108. Neither package is affected by CVE-2023-47108 because taking advantage of the affected code requires administrator privileges in both cases.
Docker uses the otelgrpc module for OpenTelemetry tracing through BuildKit. Accessing the endpoint requires administrator privileges to use the Docker Engine remote API. Similarly, the containerd’s gRPC endpoint is only exposed through a local Unix socket and also requires administrator access.
The docker and containerd packages on HAQM Linux are not affected by CVE-2023-47108. Some static analysis tools report that CVE-2023-47108 affects containerd and docker. This is based on both packages being statically compiled with the otelgrpc Go module referenced by CVE-2023-47108. Neither package is affected by CVE-2023-47108 because taking advantage of the affected code requires administrator privileges in both cases.
Docker uses the otelgrpc module for OpenTelemetry tracing through BuildKit. Accessing the endpoint requires administrator privileges to use the Docker Engine remote API. Similarly, the containerd’s gRPC endpoint is only exposed through a local Unix socket and also requires administrator access.
Severity
Important
CVSS v3 Base Score
See breakdown
Affected Packages
| Platform | Package | Release Date | Advisory | Status |
|---|---|---|---|---|
| HAQM Linux 2 - Core | amazon-cloudwatch-agent | 2024-01-19 | ALAS2-2024-2424 | Fixed |
| HAQM Linux 2023 | amazon-cloudwatch-agent | 2024-01-19 | ALAS2023-2024-498 | Fixed |
| HAQM Linux 2 - Aws-nitro-enclaves-cli Extra | containerd | Not Affected | ||
| HAQM Linux 2 - Docker Extra | containerd | Not Affected | ||
| HAQM Linux 2 - Ecs Extra | containerd | Not Affected | ||
| HAQM Linux 2023 | containerd | Not Affected | ||
| HAQM Linux 2 - Aws-nitro-enclaves-cli Extra | docker | Not Affected | ||
| HAQM Linux 2 - Docker Extra | docker | Not Affected | ||
| HAQM Linux 2 - Ecs Extra | docker | Not Affected | ||
| HAQM Linux 2023 | docker | Not Affected |
CVSS Scores
| Score Type | Score | Vector | |
|---|---|---|---|
| HAQM Linux | CVSSv3 | 7.5 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
| NVD | CVSSv3 | 7.5 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |