New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Security Vulnerability detected #3046
Comments
Always send this issue as e-mail to: prometheus-team@googlegroups.com |
Neither alertmanager nor amtool import the |
These reports should disappear with the next minor release of the Alertmanager (as we routinely upgrade dependencies for a minor release). However, if these CVEs are all in code that is not actually used in the Alertmanager, there will be no bugfix release for it. As @M4rkus- said, please don't report security issues via a GH issue. (It could be a real issue, and then it should be fixed first before it is publicly announced.) Please follow the Prometheus security policy (also linked from SECURITY.md). |
had a email contact with Apache security team to same circumstance in one of their projects, they told me:
with this, a report like this issue or #3117 (which also reports findings from trivy, documented at artifacthub.io) |
Dependencies are generally updated automatically. Therefore, each minor release should include all pending dependency updates. (And chances are that the dependencies your security scan has listed are already updated in the main branch.) If there are reasons to expedite the release of a version with updated dependencies, we can cut a bugfix release. If those reasons are actually security issues, then please use the non-public reporting mechanism discussed above. If there are other reasons, feel free to report them as an issue. |
many thanks for detailing it. |
closed by #3187 |
Hello,
we use the alert manager in version v.0.24.0 in our productions clusters. When scanning with trivy, these two vulnerabilities were found. It is urgent that the leaks are closed. Many thanks !
Trivy-Scan:
"Results": [
{
"Target": "bin/alertmanager",
"Class": "lang-pkgs",
"Type": "gobinary",
"Vulnerabilities": [
{
"VulnerabilityID": "CVE-2022-27191",
"PkgName": "golang.org/x/crypto",
"InstalledVersion": "v0.0.0-20210616213533-5ff15b29337e",
"FixedVersion": "0.0.0-20220314234659-1baeb1ce4c0b",
"Layer": {
"Digest": "sha256:eff15e454e36aa140fab50241f2e21d9c9613b4f17336f7fcc4ece1492d5a81e",
"DiffID": "sha256:1fab62a9c3e2a608d838762e10844d7c277a855700f7b91c0aa73036209641ec"
},
"SeveritySource": "nvd",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2022-27191",
"DataSource": {
"ID": "go-vulndb",
"Name": "The Go Vulnerability Database",
"URL": "https://github.com/golang/vulndb"
},
"Title": "golang: crash in a golang.org/x/crypto/ssh server",
"Description": "The golang.org/x/crypto/ssh package before 0.0.0-20220314234659-1baeb1ce4c0b for Go allows an attacker to crash a server in certain circumstances involving AddHostKey.",
"Severity": "HIGH",
"CweIDs": [
"CWE-327"
],
"CVSS": {
"nvd": {
"V2Vector": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"V2Score": 4.3,
"V3Score": 7.5
},
"redhat": {
"V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"V3Score": 7.5
}
},
"References": [
"https://access.redhat.com/security/cve/CVE-2022-27191",
"https://github.com/advisories/GHSA-8c26-wmh5-6g9v",
"https://go.dev/cl/392355",
"https://go.googlesource.com/crypto/+/1baeb1ce4c0b006eff0f294c47cb7617598dfb3d",
"https://groups.google.com/g/golang-announce",
"https://groups.google.com/g/golang-announce/c/-cp44ypCT5s",
"https://groups.google.com/g/golang-announce/c/-cp44ypCT5s/m/wmegxkLiAQAJ",
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DLUJZV3HBP56ADXU6QH2V7RNYUPMVBXQ/",
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EZ3S7LB65N54HXXBCB67P4TTOHTNPP5O/",
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HHGBEGJ54DZZGTXFUQNS7ZIG3E624YAF/",
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/J5WPM42UR6XIBQNQPNQHM32X7S4LJTRX/",
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QTFOIDHQRGNI4P6LYN6ILH5G443RYYKB/",
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RQXU752ALW53OJAF5MG3WMR5CCZVLWW6/",
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YHYRQB7TRMHDB3NEHW5XBRG7PPMUTPGV/",
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Z55VUVGO7E5PJFXIOVAY373NZRHBNCI5/",
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZFUNHFHQVJSADNH7EZ3B53CYDZVEEPBP/",
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZQNPPQWSTP2IX7SHE6TS4SP4EVMI5EZK/",
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZY2SLWOQR4ZURQ7UBRZ7JIX6H6F5JHJR/",
"https://nvd.nist.gov/vuln/detail/CVE-2022-27191",
"https://pkg.go.dev/vuln/GO-2021-0356",
"https://security.netapp.com/advisory/ntap-20220429-0002/"
],
"PublishedDate": "2022-03-18T07:15:00Z",
"LastModifiedDate": "2022-08-17T04:15:00Z"
}
]
},
{
"Target": "bin/amtool",
"Class": "lang-pkgs",
"Type": "gobinary",
"Vulnerabilities": [
{
"VulnerabilityID": "CVE-2022-27191",
"PkgName": "golang.org/x/crypto",
"InstalledVersion": "v0.0.0-20210616213533-5ff15b29337e",
"FixedVersion": "0.0.0-20220314234659-1baeb1ce4c0b",
"Layer": {
"Digest": "sha256:c7c947db7a9ad516d2010d087af49d58bd2d9ea3bf622d2e5f4801f513a4850c",
"DiffID": "sha256:43ac410b5fc47e7689e6a028b7658f15e5a0a846c3cecedb96058751461bd1cd"
},
"SeveritySource": "nvd",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2022-27191",
"DataSource": {
"ID": "go-vulndb",
"Name": "The Go Vulnerability Database",
"URL": "https://github.com/golang/vulndb"
},
"Title": "golang: crash in a golang.org/x/crypto/ssh server",
"Description": "The golang.org/x/crypto/ssh package before 0.0.0-20220314234659-1baeb1ce4c0b for Go allows an attacker to crash a server in certain circumstances involving AddHostKey.",
"Severity": "HIGH",
"CweIDs": [
"CWE-327"
],
"CVSS": {
"nvd": {
"V2Vector": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"V2Score": 4.3,
"V3Score": 7.5
},
"redhat": {
"V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"V3Score": 7.5
}
},
"References": [
"https://access.redhat.com/security/cve/CVE-2022-27191",
"https://github.com/advisories/GHSA-8c26-wmh5-6g9v",
"https://go.dev/cl/392355",
"https://go.googlesource.com/crypto/+/1baeb1ce4c0b006eff0f294c47cb7617598dfb3d",
"https://groups.google.com/g/golang-announce",
"https://groups.google.com/g/golang-announce/c/-cp44ypCT5s",
"https://groups.google.com/g/golang-announce/c/-cp44ypCT5s/m/wmegxkLiAQAJ",
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DLUJZV3HBP56ADXU6QH2V7RNYUPMVBXQ/",
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EZ3S7LB65N54HXXBCB67P4TTOHTNPP5O/",
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HHGBEGJ54DZZGTXFUQNS7ZIG3E624YAF/",
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/J5WPM42UR6XIBQNQPNQHM32X7S4LJTRX/",
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QTFOIDHQRGNI4P6LYN6ILH5G443RYYKB/",
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RQXU752ALW53OJAF5MG3WMR5CCZVLWW6/",
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YHYRQB7TRMHDB3NEHW5XBRG7PPMUTPGV/",
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Z55VUVGO7E5PJFXIOVAY373NZRHBNCI5/",
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZFUNHFHQVJSADNH7EZ3B53CYDZVEEPBP/",
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZQNPPQWSTP2IX7SHE6TS4SP4EVMI5EZK/",
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZY2SLWOQR4ZURQ7UBRZ7JIX6H6F5JHJR/",
"https://nvd.nist.gov/vuln/detail/CVE-2022-27191",
"https://pkg.go.dev/vuln/GO-2021-0356",
"https://security.netapp.com/advisory/ntap-20220429-0002/"
],
"PublishedDate": "2022-03-18T07:15:00Z",
"LastModifiedDate": "2022-08-17T04:15:00Z"
}
]
}
]
}
The text was updated successfully, but these errors were encountered: