Security Vulnerability detected

[M4rkus-]

Hello,

we use the alert manager in version v.0.24.0 in our productions clusters. When scanning with trivy, these two vulnerabilities were found. It is urgent that the leaks are closed. Many thanks !

Trivy-Scan:

---

"Results": [
{
"Target": "bin/alertmanager",
"Class": "lang-pkgs",
"Type": "gobinary",
"Vulnerabilities": [
{
"VulnerabilityID": "CVE-2022-27191",
"PkgName": "golang.org/x/crypto",
"InstalledVersion": "v0.0.0-20210616213533-5ff15b29337e",
"FixedVersion": "0.0.0-20220314234659-1baeb1ce4c0b",
"Layer": {
"Digest": "sha256:eff15e454e36aa140fab50241f2e21d9c9613b4f17336f7fcc4ece1492d5a81e",
"DiffID": "sha256:1fab62a9c3e2a608d838762e10844d7c277a855700f7b91c0aa73036209641ec"
},
"SeveritySource": "nvd",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2022-27191",
"DataSource": {
"ID": "go-vulndb",
"Name": "The Go Vulnerability Database",
"URL": "https://github.com/golang/vulndb"
},
"Title": "golang: crash in a golang.org/x/crypto/ssh server",
"Description": "The golang.org/x/crypto/ssh package before 0.0.0-20220314234659-1baeb1ce4c0b for Go allows an attacker to crash a server in certain circumstances involving AddHostKey.",
"Severity": "HIGH",
"CweIDs": [
"CWE-327"
],
"CVSS": {
"nvd": {
"V2Vector": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"V2Score": 4.3,
"V3Score": 7.5
},
"redhat": {
"V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"V3Score": 7.5
}
},
"References": [
"https://access.redhat.com/security/cve/CVE-2022-27191",
"https://github.com/advisories/GHSA-8c26-wmh5-6g9v",
"https://go.dev/cl/392355",
"https://go.googlesource.com/crypto/+/1baeb1ce4c0b006eff0f294c47cb7617598dfb3d",
"https://groups.google.com/g/golang-announce",
"https://groups.google.com/g/golang-announce/c/-cp44ypCT5s",
"https://groups.google.com/g/golang-announce/c/-cp44ypCT5s/m/wmegxkLiAQAJ",
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DLUJZV3HBP56ADXU6QH2V7RNYUPMVBXQ/",
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EZ3S7LB65N54HXXBCB67P4TTOHTNPP5O/",
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HHGBEGJ54DZZGTXFUQNS7ZIG3E624YAF/",
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/J5WPM42UR6XIBQNQPNQHM32X7S4LJTRX/",
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QTFOIDHQRGNI4P6LYN6ILH5G443RYYKB/",
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RQXU752ALW53OJAF5MG3WMR5CCZVLWW6/",
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YHYRQB7TRMHDB3NEHW5XBRG7PPMUTPGV/",
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Z55VUVGO7E5PJFXIOVAY373NZRHBNCI5/",
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZFUNHFHQVJSADNH7EZ3B53CYDZVEEPBP/",
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZQNPPQWSTP2IX7SHE6TS4SP4EVMI5EZK/",
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZY2SLWOQR4ZURQ7UBRZ7JIX6H6F5JHJR/",
"https://nvd.nist.gov/vuln/detail/CVE-2022-27191",
"https://pkg.go.dev/vuln/GO-2021-0356",
"https://security.netapp.com/advisory/ntap-20220429-0002/"
],
"PublishedDate": "2022-03-18T07:15:00Z",
"LastModifiedDate": "2022-08-17T04:15:00Z"
}
]
},
{
"Target": "bin/amtool",
"Class": "lang-pkgs",
"Type": "gobinary",
"Vulnerabilities": [
{
"VulnerabilityID": "CVE-2022-27191",
"PkgName": "golang.org/x/crypto",
"InstalledVersion": "v0.0.0-20210616213533-5ff15b29337e",
"FixedVersion": "0.0.0-20220314234659-1baeb1ce4c0b",
"Layer": {
"Digest": "sha256:c7c947db7a9ad516d2010d087af49d58bd2d9ea3bf622d2e5f4801f513a4850c",
"DiffID": "sha256:43ac410b5fc47e7689e6a028b7658f15e5a0a846c3cecedb96058751461bd1cd"
},
"SeveritySource": "nvd",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2022-27191",
"DataSource": {
"ID": "go-vulndb",
"Name": "The Go Vulnerability Database",
"URL": "https://github.com/golang/vulndb"
},
"Title": "golang: crash in a golang.org/x/crypto/ssh server",
"Description": "The golang.org/x/crypto/ssh package before 0.0.0-20220314234659-1baeb1ce4c0b for Go allows an attacker to crash a server in certain circumstances involving AddHostKey.",
"Severity": "HIGH",
"CweIDs": [
"CWE-327"
],
"CVSS": {
"nvd": {
"V2Vector": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"V2Score": 4.3,
"V3Score": 7.5
},
"redhat": {
"V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"V3Score": 7.5
}
},
"References": [
"https://access.redhat.com/security/cve/CVE-2022-27191",
"https://github.com/advisories/GHSA-8c26-wmh5-6g9v",
"https://go.dev/cl/392355",
"https://go.googlesource.com/crypto/+/1baeb1ce4c0b006eff0f294c47cb7617598dfb3d",
"https://groups.google.com/g/golang-announce",
"https://groups.google.com/g/golang-announce/c/-cp44ypCT5s",
"https://groups.google.com/g/golang-announce/c/-cp44ypCT5s/m/wmegxkLiAQAJ",
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DLUJZV3HBP56ADXU6QH2V7RNYUPMVBXQ/",
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EZ3S7LB65N54HXXBCB67P4TTOHTNPP5O/",
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HHGBEGJ54DZZGTXFUQNS7ZIG3E624YAF/",
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/J5WPM42UR6XIBQNQPNQHM32X7S4LJTRX/",
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QTFOIDHQRGNI4P6LYN6ILH5G443RYYKB/",
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RQXU752ALW53OJAF5MG3WMR5CCZVLWW6/",
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YHYRQB7TRMHDB3NEHW5XBRG7PPMUTPGV/",
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Z55VUVGO7E5PJFXIOVAY373NZRHBNCI5/",
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZFUNHFHQVJSADNH7EZ3B53CYDZVEEPBP/",
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZQNPPQWSTP2IX7SHE6TS4SP4EVMI5EZK/",
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZY2SLWOQR4ZURQ7UBRZ7JIX6H6F5JHJR/",
"https://nvd.nist.gov/vuln/detail/CVE-2022-27191",
"https://pkg.go.dev/vuln/GO-2021-0356",
"https://security.netapp.com/advisory/ntap-20220429-0002/"
],
"PublishedDate": "2022-03-18T07:15:00Z",
"LastModifiedDate": "2022-08-17T04:15:00Z"
}
]
}
]
}

[M4rkus-]

Always send this issue as e-mail to: prometheus-team@googlegroups.com

[simonpasquier]

Neither alertmanager nor amtool import the golang.org/x/crypto/ssh package. I believe that the scanner reports a false positive because they import other packages from the golang.org/x/crypto module.

[beorn7]

These reports should disappear with the next minor release of the Alertmanager (as we routinely upgrade dependencies for a minor release). However, if these CVEs are all in code that is not actually used in the Alertmanager, there will be no bugfix release for it.

As @M4rkus- said, please don't report security issues via a GH issue. (It could be a real issue, and then it should be fixed first before it is publicly announced.) Please follow the Prometheus security policy (also linked from SECURITY.md).

[hpvd]

@beorn7

As @M4rkus- said, please don't report security issues via a GH issue. (It could be a real issue, and then it should be fixed first before it is publicly announced.) Please follow the Prometheus security policy (also linked from SECURITY.md).

had a email contact with Apache security team to same circumstance in one of their projects, they told me:

We regularly get reports sent to us from scanning tools that look at
dependencies out of context on how they are actually used in the
projects. As such we initially reject this report as a security issue.
Nonetheless, we'd warmly welcome ... if you'd contribute this finding as a normal bug
report and/or patch to the project. Since outdated dependencies
without further analysis are quite public, there is no need to use this
private reporting mechanism in that case.

with this, a report like this issue or #3117 (which also reports findings from trivy, documented at artifacthub.io)
filed as a normal issue would be perfectly fine for Apache projects
(since every vulnerability with CVE is already public)
=> should it be handled in a different way for Prometheus?

[beorn7]

Dependencies are generally updated automatically. Therefore, each minor release should include all pending dependency updates. (And chances are that the dependencies your security scan has listed are already updated in the main branch.)

If there are reasons to expedite the release of a version with updated dependencies, we can cut a bugfix release. If those reasons are actually security issues, then please use the non-public reporting mechanism discussed above. If there are other reasons, feel free to report them as an issue.

[hpvd]

many thanks for detailing it.
Yes there are already some updates fixing CVEs within main.
Since usage of dependabot who found and triggers these updates was introduced on Jul 6
(#2914)
while the last release (v0.24) was in March
=> maybe it's not a bad time to think about a new v0.24.1...

[simonpasquier]

closed by #3187