[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    [oss-security] CVE-2022-21698: HTTP method DOS; Prometheus client_golang <1.11.1 affected; Other web
From:       Bartek Plotka <bartek () prometheus ! io>
Date:       2022-02-15 12:53:06
Message-ID: CALSHWeDjhVEkJ76sRzqX56ToyxpLF+BsYTHneQ7iQ8H=0exeoA () mail ! gmail ! com
[Download RAW message or body]


Hi,

Prometheus Team just published CVE-2022-21698
<https://github.com/prometheus/client_golang/security/advisories/GHSA-cg3q-j54f-5p7p>
that
relates to unbounded cardinality of HTTP method, which is not validated by
some HTTP server implementations (including Golang one). See the GitHub
security advisory
<https://github.com/prometheus/client_golang/security/advisories/GHSA-cg3q-j54f-5p7p>
for
more details on potential attack vectors, characteristics and workarounds.

Prometheus client_golang before 1.11.1 was affected. Newer versions are
patched. See the announcement.
<https://groups.google.com/g/prometheus-announce/c/zlCm4A7FwZU>

Note however that many metric implementations that gather metrics about
HTTP requests can be affected, even without using client_golang or using
different programming languages (!). We notified some common open-source
web-servers (including Kubernetes) projects and some of them were affected
(without client_golang) and patched subsequently.

We would like to thank Prometheus contributor David <https://github.com/dgl>,
for reporting this.

Thanks,
The Prometheus Team


[prev in list] [next in list] [prev in thread] [next in thread]