CVE-2023-47108 is a resource exhaustion vulnerability classified under CWE-770, affecting the OpenTelemetry-Go Contrib library specifically between versions 0.37.0 and 0.46.0. The grpc Unary Server Interceptor component automatically attaches two labels, `net.peer.sock.addr` and `net.peer.sock.port`, to telemetry data. These labels have unbounded cardinality because they directly reflect the peer socket address and port of incoming requests. An attacker can exploit this by sending a large volume of requests with varying source addresses and ports, causing the server to allocate memory for an ever-growing set of unique label values. This unthrottled resource allocation can lead to memory exhaustion and potentially crash or degrade the performance of the telemetry server, resulting in denial of service. The vulnerability is remotely exploitable without authentication or user interaction, increasing its risk profile. The issue was resolved in version 0.46.0 by limiting or removing these unbounded labels. Workarounds include configuring a view to remove these attributes or disabling grpc metrics instrumentation by using the `otelgrpc.WithMeterProvider` option with a no-op meter provider, which prevents the collection of these problematic metrics.

For European organizations, this vulnerability poses a significant risk to the availability of telemetry infrastructure that relies on the affected OpenTelemetry-Go Contrib versions. Telemetry data is critical for monitoring, observability, and incident response; disruption can impair the ability to detect and respond to other security incidents or operational issues. Organizations with high-volume grpc services or those exposed to untrusted networks are particularly vulnerable to denial of service attacks exploiting this flaw. The memory exhaustion can lead to service crashes or degraded performance, impacting business continuity and potentially causing cascading failures in dependent systems. Given the widespread adoption of OpenTelemetry in cloud-native and microservices environments, the impact could be broad, affecting sectors such as finance, healthcare, telecommunications, and public services across Europe. The lack of known exploits in the wild suggests limited active exploitation currently, but the ease of exploitation and high severity score warrant proactive mitigation.

European organizations should immediately upgrade OpenTelemetry-Go Contrib to version 0.46.0 or later to fully remediate the vulnerability. If upgrading is not immediately feasible, implement one of the following mitigations: configure a telemetry view to remove the `net.peer.sock.addr` and `net.peer.sock.port` attributes from grpc metrics to prevent unbounded label cardinality; or disable grpc metrics instrumentation by passing the `otelgrpc.WithMeterProvider` option with a no-op meter provider to stop collection of these metrics entirely. Additionally, organizations should monitor grpc service logs and telemetry for unusual spikes in unique peer addresses or ports, which could indicate exploitation attempts. Network-level rate limiting or filtering of suspicious traffic sources can also reduce attack surface. Finally, incorporate this vulnerability into incident response and patch management workflows to ensure timely remediation and awareness.