CVE-2022-21698

Published on: Not Yet Published

Last Modified on: 12/09/2022 04:46:00 PM UTC

CVE-2022-21698 - advisory for GHSA-cg3q-j54f-5p7p

Source: Mitre Source: NIST CVE.ORG Print: PDF PDF
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Certain versions of Extra Packages For Enterprise Linux from Fedoraproject contain the following vulnerability:

client_golang is the instrumentation library for Go applications in Prometheus, and the promhttp package in client_golang provides tooling around HTTP servers and clients. In client_golang prior to version 1.11.1, HTTP server is susceptible to a Denial of Service through unbounded cardinality, and potential memory exhaustion, when handling requests with non-standard HTTP methods. In order to be affected, an instrumented software must use any of `promhttp.InstrumentHandler*` middleware except `RequestsInFlight`; not filter any specific methods (e.g GET) before middleware; pass metric with `method` label name to our middleware; and not have any firewall/LB/proxy that filters away requests with unknown `method`. client_golang version 1.11.1 contains a patch for this issue. Several workarounds are available, including removing the `method` label name from counter/gauge used in the InstrumentHandler; turning off affected promhttp handlers; adding custom middleware before promhttp handler that will sanitize the request method given by Go http.Request; and using a reverse proxy or web application firewall, configured to only allow a limited set of methods.

  • CVE-2022-21698 has been assigned by URL Logo [email protected] to track the vulnerability - currently rated as HIGH severity.
  • Affected Vendor/Software: URL Logo prometheus - client_golang version < 1.11.1

CVSS3 Score: 7.5 - HIGH

Attack
Vector 		Attack
Complexity		 Privileges
Required		 User
Interaction
NETWORK LOW NONE NONE
Scope Confidentiality
Impact		 Integrity
Impact		 Availability
Impact
UNCHANGED NONE NONE HIGH

CVSS2 Score: 5 - MEDIUM

Access
Vector		 Access
Complexity		 Authentication
NETWORK LOW NONE
Confidentiality
Impact		 Integrity
Impact		 Availability
Impact
NONE NONE PARTIAL

CVE References

Description Tags Link
[SECURITY] Fedora 35 Update: golang-github-distribution-3-3.0.0-0.1.pre1.20221009git0122d7d.fc35 - package-announce - Fedora Mailing-Lists lists.fedoraproject.org
text/html
 URL Logo FEDORA FEDORA-2022-739c7a0058
Release 1.11.1 / 2022-02-15 · prometheus/client_golang · GitHub Release Notes
Third Party Advisory
github.com
text/html
 URL Logo MISC github.com/prometheus/client_golang/releases/tag/v1.11.1
[SECURITY] Fedora 35 Update: podman-3.4.7-1.fc35 - package-announce - Fedora Mailing-Lists lists.fedoraproject.org
text/html
 URL Logo FEDORA FEDORA-2022-c87047f163
[SECURITY] Fedora 36 Update: skopeo-1.7.0-1.fc36 - package-announce - Fedora Mailing-Lists lists.fedoraproject.org
text/html
 URL Logo FEDORA FEDORA-2022-5f253807ce
[SECURITY] Fedora 36 Update: golang-github-distribution-3-3.0.0-0.1.pre1.20221009git0122d7d.fc36 - package-announce - Fedora Mailing-Lists lists.fedoraproject.org
text/html
 URL Logo FEDORA FEDORA-2022-13ad572b5a
[SECURITY] Fedora 35 Update: buildah-1.23.4-1.fc35 - package-announce - Fedora Mailing-Lists lists.fedoraproject.org
text/html
 URL Logo FEDORA FEDORA-2022-396c568c5e
InstrumentHandler* HTTP middleware prone to DoS through method label cardinality · Advisory · prometheus/client_golang · GitHub Issue Tracking
Third Party Advisory
github.com
text/html
 URL Logo CONFIRM github.com/prometheus/client_golang/security/advisories/GHSA-cg3q-j54f-5p7p
[SECURITY] Fedora 36 Update: grafana-7.5.15-2.fc36 - package-announce - Fedora Mailing-Lists lists.fedoraproject.org
text/html
 URL Logo FEDORA FEDORA-2022-c5383675d9
[SECURITY] Fedora 35 Update: stargz-snapshotter-0.10.2-1.fc35 - package-announce - Fedora Mailing-Lists lists.fedoraproject.org
text/html
 URL Logo FEDORA FEDORA-2022-a7d438b30b
[SECURITY] Fedora 34 Update: stargz-snapshotter-0.10.2-1.fc34 - package-announce - Fedora Mailing-Lists lists.fedoraproject.org
text/html
 URL Logo FEDORA FEDORA-2022-e244ad73d6
[SECURITY] Fedora 34 Update: grafana-7.5.15-2.fc34 - package-announce - Fedora Mailing-Lists lists.fedoraproject.org
text/html
 URL Logo FEDORA FEDORA-2022-83405f9d5b
[SECURITY] Fedora 36 Update: aquatone-1.7.0-7.fc36 - package-announce - Fedora Mailing-Lists lists.fedoraproject.org
text/html
 URL Logo FEDORA FEDORA-2022-fae3ecee19
[SECURITY] Fedora 37 Update: golang-github-distribution-3-3.0.0-0.1.pre1.20221009git0122d7d.fc37 - package-announce - Fedora Mailing-Lists lists.fedoraproject.org
text/html
 URL Logo FEDORA FEDORA-2022-741325e9a0
[SECURITY] Fedora 36 Update: podman-4.0.3-1.fc36 - package-announce - Fedora Mailing-Lists lists.fedoraproject.org
text/html
 URL Logo FEDORA FEDORA-2022-2067702f06
[SECURITY] Fedora 35 Update: skopeo-1.7.0-1.fc35 - package-announce - Fedora Mailing-Lists lists.fedoraproject.org
text/html
 URL Logo FEDORA FEDORA-2022-eda0e65b01
[SECURITY] Fedora 34 Update: podman-3.4.7-1.fc34 - package-announce - Fedora Mailing-Lists lists.fedoraproject.org
text/html
 URL Logo FEDORA FEDORA-2022-5e637f6cc6
[SECURITY] Fedora 36 Update: golang-github-prometheus-client-1.12.2-2.fc36 - package-announce - Fedora Mailing-Lists lists.fedoraproject.org
text/html
 URL Logo FEDORA FEDORA-2022-92ef43c439
promhttp: Check validity of method and code label values by kakkoyun · Pull Request #962 · prometheus/client_golang · GitHub Patch
Third Party Advisory
github.com
text/html
 URL Logo MISC github.com/prometheus/client_golang/pull/962
[SECURITY] Fedora 34 Update: skopeo-1.7.0-1.fc34 - package-announce - Fedora Mailing-Lists lists.fedoraproject.org
text/html
 URL Logo FEDORA FEDORA-2022-6043a7b938
promhttp: Check validity of method and code label values (#962) by bwplotka · Pull Request #987 · prometheus/client_golang · GitHub Patch
Third Party Advisory
github.com
text/html
 URL Logo MISC github.com/prometheus/client_golang/pull/987
[SECURITY] Fedora 36 Update: stargz-snapshotter-0.11.3-2.fc36 - package-announce - Fedora Mailing-Lists lists.fedoraproject.org
text/html
 URL Logo FEDORA FEDORA-2022-6c4cb64314
[SECURITY] Fedora 35 Update: grafana-7.5.15-2.fc35 - package-announce - Fedora Mailing-Lists lists.fedoraproject.org
text/html
 URL Logo FEDORA FEDORA-2022-9dd03cab55
By selecting these links, you may be leaving CVEreport webspace. We have provided these links to other websites because they may have information that would be of interest to you. No inferences should be drawn on account of other sites being referenced, or not, from this page. There may be other websites that are more appropriate for your purpose. CVEreport does not necessarily endorse the views expressed, or concur with the facts presented on these sites. Further, CVEreport does not endorse any commercial products that may be mentioned on these sites. Please address comments about any linked pages to [email protected].

Related QID Numbers

  • 159829 Oracle Enterprise Linux Security Update for container-tools:ol8 (ELSA-2022-1762)
  • 160237 Oracle Enterprise Linux Security Update for container-tools:3.0 (ELSA-2022-7529)
  • 160238 Oracle Enterprise Linux Security Update for grafana (ELSA-2022-7519)
  • 160278 Oracle Enterprise Linux Security Update for grafana (ELSA-2022-8057)
  • 240293 Red Hat Update for container-tools:rhel8 security (RHSA-2022:1762)
  • 240386 Red Hat OpenShift Container Platform 5 Security Update (RHSA-2022:2280)
  • 240607 Red Hat OpenShift Container Platform 4.11 Security Update (RHSA-2022:5068)
  • 240610 Red Hat Update for OpenStack Platform 16.1 (RHSA-2022:6066)
  • 240614 Red Hat Update for OpenStack Platform 16.2 (RHSA-2022:6061)
  • 240821 Red Hat Update for container-tools:3.0 (RHSA-2022:7529)
  • 240850 Red Hat Update for grafana security (RHSA-2022:7519)
  • 240902 Red Hat Update for grafana security (RHSA-2022:8057)
  • 282547 Fedora Security Update for skopeo (FEDORA-2022-6043a7b938)
  • 282548 Fedora Security Update for skopeo (FEDORA-2022-eda0e65b01)
  • 282587 Fedora Security Update for stargz (FEDORA-2022-e244ad73d6)
  • 282588 Fedora Security Update for stargz (FEDORA-2022-a7d438b30b)
  • 282601 Fedora Security Update for grafana (FEDORA-2022-83405f9d5b)
  • 282602 Fedora Security Update for grafana (FEDORA-2022-9dd03cab55)
  • 282631 Fedora Security Update for podman (FEDORA-2022-c87047f163)
  • 282683 Fedora Security Update for podman (FEDORA-2022-5e637f6cc6)
  • 282815 Fedora Security Update for buildah (FEDORA-2022-396c568c5e)
  • 282883 Fedora Security Update for golang (FEDORA-2022-92ef43c439)
  • 282893 Fedora Security Update for 3mux (FEDORA-2022-fae3ecee19)
  • 282947 Fedora Security Update for 3mux (FEDORA-2022-3969b64d4b)
  • 283265 Fedora Security Update for golang (FEDORA-2022-13ad572b5a)
  • 283266 Fedora Security Update for golang (FEDORA-2022-739c7a0058)
  • 283460 Fedora Security Update for golang (FEDORA-2022-741325e9a0)
  • 502042 Alpine Linux Security Update for buildah
  • 752083 SUSE Enterprise Linux Security Update for firewalld, golang-github-prometheus-prometheus (SUSE-SU-2022:1435-1)
  • 752251 SUSE Enterprise Linux Security Update for SUSE Manager Client Tools (SUSE-SU-2022:2134-1)
  • 752252 SUSE Enterprise Linux Security Update for golang-github-prometheus-node_exporter (SUSE-SU-2022:2137-1)
  • 752253 SUSE Enterprise Linux Security Update for node_exporter (SUSE-SU-2022:2140-1)
  • 752731 SUSE Enterprise Linux Security Update for SUSE Manager Client Tools (SUSE-SU-2022:3747-1)
  • 752738 SUSE Enterprise Linux Security Update for golang-github-prometheus-node_exporter (SUSE-SU-2022:3745-1)
  • 753361 SUSE Enterprise Linux Security Update for podman (SUSE-SU-2022:2834-1)
  • 753444 SUSE Enterprise Linux Security Update for podman (SUSE-SU-2022:2839-1)
  • 753592 SUSE Enterprise Linux Security Update for podman (SUSE-SU-2023:0187-1)
  • 770161 Red Hat OpenShift Container Platform 4.1 Security Update (RHSA-2022:5068)
  • 940562 AlmaLinux Security Update for container-tools:rhel8 (ALSA-2022:1762)
  • 940770 AlmaLinux Security Update for grafana (ALSA-2022:7519)
  • 940773 AlmaLinux Security Update for container-tools:3.0 (ALSA-2022:7529)
  • 940826 AlmaLinux Security Update for grafana (ALSA-2022:8057)
  • 960194 Rocky Linux Security Update for container-tools:rhel8 (RLSA-2022:1762)

Known Affected Configurations (CPE V2.3)

Type Vendor Product Version Update Edition Language
ApplicationFedoraprojectExtra Packages For Enterprise Linux7.0AllAllAll
ApplicationFedoraprojectExtra Packages For Enterprise Linux8.0AllAllAll
Operating
System		FedoraprojectFedora34AllAllAll
Operating
System		FedoraprojectFedora35AllAllAll
Operating
System		FedoraprojectFedora36AllAllAll
Operating
System		FedoraprojectFedora37AllAllAll
ApplicationFedoraprojectFedora Extra Packages For Enterprise Linux7.0AllAllAll
ApplicationPrometheusClient GolangAllAllAllAll
ApplicationRdo ProjectRdo-AllAllAll
  • cpe:2.3:a:fedoraproject:extra_packages_for_enterprise_linux:7.0:*:*:*:*:*:*:*:
  • cpe:2.3:a:fedoraproject:extra_packages_for_enterprise_linux:8.0:*:*:*:*:*:*:*:
  • cpe:2.3:o:fedoraproject:fedora:34:*:*:*:*:*:*:*:
  • cpe:2.3:o:fedoraproject:fedora:35:*:*:*:*:*:*:*:
  • cpe:2.3:o:fedoraproject:fedora:36:*:*:*:*:*:*:*:
  • cpe:2.3:o:fedoraproject:fedora:37:*:*:*:*:*:*:*:
  • cpe:2.3:a:fedoraproject:fedora_extra_packages_for_enterprise_linux:7.0:*:*:*:*:*:*:*:
  • cpe:2.3:a:prometheus:client_golang:*:*:*:*:*:go:*:*:
  • cpe:2.3:a:rdo_project:rdo:-:*:*:*:*:*:*:*:

Social Mentions

Source Title Posted (UTC)
Twitter Icon @CVEreport CVE-2022-21698 : client_golang is the instrumentation library for Go applications in Prometheus, and the promhttp p… twitter.com/i/web/status/1… 2022-02-28 18:46:59
© CVE.report 2023 Twitter Nitter Twitter Viewer |

Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.

CVE, CWE, and OVAL are registred trademarks of The MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. This site includes MITRE data granted under the following license.

CVE.report and Source URL Uptime Status status.cve.report