Vulnerabilities in Go dependencies: otelgrpc, otelhttp

Asking for help? Comment out what you need so we can get more information to help you!

We are using the release kubernetes-1.28.15 for our cluster. We are flagged for the below vulnerabilities in kube-scheduler.

  1. Advisory Link: otelgrpc DoS vulnerability due to unbound cardinality metrics · CVE-2023-47108 · GitHub Advisory Database · GitHub

Issue Description:

High Vulnerability found in non-os package type (go-module) – go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc(cvss_v3_base_score=7.5) Otelgrpc DoS vulnerability due to unbound cardinality metrics Package paths: /usr/local/bin/kube-scheduler

  1. Advisory Link: OpenTelemetry-Go Contrib vulnerable to denial of service in otelhttp due to unbound cardinality metrics · CVE-2023-45142 · GitHub Advisory Database · GitHub

Issue Description:

High Vulnerability found in non-os package type (go-module) - go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp(cvss_v3_base_score=7.5). OpenTelemetry-Go Contrib vulnerable to denial of service in otelhttp due to unbound cardinality metrics Package paths: /usr/local/bin/kube-scheduler.

We would like to know if these vulnerable packages are already updated? If yes, which version should we use? If no, are there any plans to upgrade them in the upcoming releases?

Cluster information:

Kubernetes version: 1.28.15
Cloud being used: OCI
Installation method:
Host OS:
CNI and version:
CRI and version:

You can format your yaml by highlighting it and pressing Ctrl-Shift-C, it will make your output easier to read.