Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <CALSHWeDjhVEkJ76sRzqX56ToyxpLF+BsYTHneQ7iQ8H=0exeoA@mail.gmail.com>
Date: Tue, 15 Feb 2022 13:53:06 +0100
From: Bartek Plotka <bartek@...metheus.io>
To: oss-security@...ts.openwall.com
Subject: CVE-2022-21698: HTTP method DOS; Prometheus client_golang <1.11.1
 affected; Other web servers might be affected too

Hi,

Prometheus Team just published CVE-2022-21698
<https://github.com/prometheus/client_golang/security/advisories/GHSA-cg3q-j54f-5p7p>
that
relates to unbounded cardinality of HTTP method, which is not validated by
some HTTP server implementations (including Golang one). See the GitHub
security advisory
<https://github.com/prometheus/client_golang/security/advisories/GHSA-cg3q-j54f-5p7p>
for
more details on potential attack vectors, characteristics and workarounds.

Prometheus client_golang before 1.11.1 was affected. Newer versions are
patched. See the announcement.
<https://groups.google.com/g/prometheus-announce/c/zlCm4A7FwZU>

Note however that many metric implementations that gather metrics about
HTTP requests can be affected, even without using client_golang or using
different programming languages (!). We notified some common open-source
web-servers (including Kubernetes) projects and some of them were affected
(without client_golang) and patched subsequently.

We would like to thank Prometheus contributor David <https://github.com/dgl>,
for reporting this.

Thanks,
The Prometheus Team

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.