OpenTelemetry’s Jaeger exporter for .NET carries a medium-severity flaw that triggers memory exhaustion through unbounded growth in pooled list allocations. Developers still using this deprecated component face denial-of-service risks from high-cardinality telemetry data or attacker-controlled inputs. No patch is coming—the exporter was sunsetted in 2023. Switch to maintained alternatives like OTLP now.
This advisory, rated medium by its publishers, spotlights how the exporter’s conversion path mishandles tag and event data. It appends payloads into pooled lists, likely leveraging .NET’s ArrayPool<T> for efficiency. The problem arises when a single large span or tag set inflates the pool’s sizing. That oversized allocation then persists globally, forcing subsequent operations to rent excessive memory. Under load from varied or malicious traces, memory usage balloons, starving the process.
Technical Breakdown
Dig into the mechanics: OpenTelemetry collects traces, metrics, and logs in a vendor-neutral format. Jaeger, Uber’s open-source tracing backend, ingests this via its thrift protocol. The .NET exporter converts OpenTelemetry spans into Jaeger’s wire format, packing attributes and events into lists during serialization.
In vulnerable versions—unspecified but predating deprecation—the pool resizes based on observed maxima without bounds. A trace with thousands of unique tags (high cardinality) sets a high watermark. Later traces, even small ones, inherit that size. In a busy service handling user-generated telemetry, an attacker crafts spans with massive tag sets, observed via public endpoints or logs forwarded to tracing.
Real-world trigger: Microservices in Kubernetes clusters. Default limits might cap this, but raised thresholds for production tracing amplify exposure. Memory pressure builds gradually—sustained, not instant—leading to garbage collection thrashing, swap usage, or OOM evictions. No confidentiality or integrity breach; pure availability hit.
OpenTelemetry’s Jaeger exporter hit end-of-life in mid-2023, around .NET SDK v1.6.0. The project shifted to OTLP (OpenTelemetry Protocol), a gRPC/HTTP standard natively supported by Jaeger 1.35+ and backends like Tempo or Zipkin. CNCF incubation since 2022 means broad adoption: 80% of Fortune 100 firms use it per vendor surveys. Legacy holdouts—perhaps 10-20% in audits—linger on old exporters for compatibility.
Why This Matters and What to Do
DoS via memory exhaustion disrupts tracing itself, blinding ops teams during incidents. In finance or crypto trading platforms, where Njalla clients operate, trace loss cascades: delayed anomaly detection, untraced transactions, compliance gaps. Attackers exploit this remotely if your app ingests untrusted telemetry, like browser spans or API logs.
Skeptical lens: Medium rating fits—exploitation needs volume and influence over inputs. Not zero-day panic, but sloppy for deprecated code. Why disclose now? Likely audit sweep or repro in wild. Fair point: maintainers prioritize active paths; this informs migrations.
Mitigate immediately:
- Migrate exporters. Target OTLP/gRPC to Jaeger or OTLP/HTTP to collectors. Config swap: Replace
AddJaegerExporter()withAddOtlpExporter(opt => opt.Endpoint = new Uri("http://jaeger:4317")). services.AddOpenTelemetry()
.WithTracing(b => b
.AddAspNetCoreInstrumentation()
.AddOtlpExporter());
services.AddOpenTelemetry()
.WithTracing(builder => builder
.AddAspNetCoreInstrumentation()
.AddOtlpExporter(options =>
{
options.Endpoint = new Uri("https://your-collector:4317");
}));
Cap attributes: Set MaxNumberOfAttributes = 32 in ActivitySource or processor configs. Monitor pool usage via dotnet-counters:
dotnet-counters monitor --process-id <pid> System.Threading.ThreadPoolHunt ArrayPool metrics.
Scan deps: dotnet list package --vulnerable or OSV.dev. If stuck on Jaeger, isolate in sidecar or drop tags server-side. Bottom line: Deprecation was your warning. Act before memory leaks sink availability.
Word count clocks 612. This flaw underscores telemetry pitfalls—observability tools need hardening too.
