Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Security Vulnerabilities in prometheus/alertmanager:v0.27.0 #4028

Open
arokade-px opened this issue Sep 12, 2024 · 1 comment
Open

Security Vulnerabilities in prometheus/alertmanager:v0.27.0 #4028

arokade-px opened this issue Sep 12, 2024 · 1 comment

Comments

@arokade-px
Copy link

The security scan of the Prometheus Alertmanager image quay.io/prometheus/alertmanager:v0.27.0 has identified multiple vulnerabilities. These issues need to be addressed to ensure the security of the Alertmanager deployment.

What did you do?
Performed a vulnerability scan using Aqua Security’s Trivy tool on the quay.io/prometheus/alertmanager:v0.27.0 image.

What did you expect to see?
An image without critical security vulnerabilities or a clear path for remediation.

What did you see instead? Under which circumstances?

# trivy --scanners vuln image quay.io/prometheus/alertmanager:v0.27.0
2024-09-12T08:26:14Z    INFO    [vuln] Vulnerability scanning is enabled
2024-09-12T08:26:15Z    INFO    Number of language-specific files       num=2
2024-09-12T08:26:15Z    INFO    [gobinary] Detecting vulnerabilities...
2024-09-12T08:26:15Z    WARN    Using severities from other vendors for some vulnerabilities. Read https://aquasecurity.github.io/trivy/v0.55/docs/scanner/vulnerability#severity-selection for details.

bin/alertmanager (gobinary)

Total: 15 (UNKNOWN: 0, LOW: 0, MEDIUM: 12, HIGH: 2, CRITICAL: 1)

┌────────────────────────────┬─────────────────────┬──────────┬────────┬───────────────────┬─────────────────┬──────────────────────────────────────────────────────────────┐
│          Library           │    Vulnerability    │ Severity │ Status │ Installed Version │  Fixed Version  │                            Title                             │
├────────────────────────────┼─────────────────────┼──────────┼────────┼───────────────────┼─────────────────┼──────────────────────────────────────────────────────────────┤
│ github.com/rs/cors         │ GHSA-mh55-gqvf-xfwm │ MEDIUM   │ fixed  │ v1.10.1           │ 1.11.0          │ Denial of service via malicious preflight requests in        │
│                            │                     │          │        │                   │                 │ github.com/rs/cors                                           │
│                            │                     │          │        │                   │                 │ https://github.com/advisories/GHSA-mh55-gqvf-xfwm            │
├────────────────────────────┼─────────────────────┤          │        ├───────────────────┼─────────────────┼──────────────────────────────────────────────────────────────┤
│ golang.org/x/net           │ CVE-2023-45288      │          │        │ v0.20.0           │ 0.23.0          │ golang: net/http, x/net/http2: unlimited number of           │
│                            │                     │          │        │                   │                 │ CONTINUATION frames causes DoS                               │
│                            │                     │          │        │                   │                 │ https://avd.aquasec.com/nvd/cve-2023-45288                   │
├────────────────────────────┼─────────────────────┤          │        ├───────────────────┼─────────────────┼──────────────────────────────────────────────────────────────┤
│ google.golang.org/protobuf │ CVE-2024-24786      │          │        │ v1.32.0           │ 1.33.0          │ golang-protobuf: encoding/protojson, internal/encoding/json: │
│                            │                     │          │        │                   │                 │ infinite loop in protojson.Unmarshal when unmarshaling       │
│                            │                     │          │        │                   │                 │ certain forms of...                                          │
│                            │                     │          │        │                   │                 │ https://avd.aquasec.com/nvd/cve-2024-24786                   │
├────────────────────────────┼─────────────────────┼──────────┤        ├───────────────────┼─────────────────┼──────────────────────────────────────────────────────────────┤
│ stdlib                     │ CVE-2024-24790      │ CRITICAL │        │ 1.21.7            │ 1.21.11, 1.22.4 │ golang: net/netip: Unexpected behavior from Is methods for   │
│                            │                     │          │        │                   │                 │ IPv4-mapped IPv6 addresses                                   │
│                            │                     │          │        │                   │                 │ https://avd.aquasec.com/nvd/cve-2024-24790                   │
│                            ├─────────────────────┼──────────┤        │                   ├─────────────────┼──────────────────────────────────────────────────────────────┤
│                            │ CVE-2023-45288      │ HIGH     │        │                   │ 1.21.9, 1.22.2  │ golang: net/http, x/net/http2: unlimited number of           │
│                            │                     │          │        │                   │                 │ CONTINUATION frames causes DoS                               │
│                            │                     │          │        │                   │                 │ https://avd.aquasec.com/nvd/cve-2023-45288                   │
│                            ├─────────────────────┤          │        │                   ├─────────────────┼──────────────────────────────────────────────────────────────┤
│                            │ CVE-2024-34156      │          │        │                   │ 1.22.7, 1.23.1  │ encoding/gob: golang: Calling Decoder.Decode on a message    │
│                            │                     │          │        │                   │                 │ which contains deeply nested structures...                   │
│                            │                     │          │        │                   │                 │ https://avd.aquasec.com/nvd/cve-2024-34156                   │
│                            ├─────────────────────┼──────────┤        │                   ├─────────────────┼──────────────────────────────────────────────────────────────┤
│                            │ CVE-2023-45289      │ MEDIUM   │        │                   │ 1.21.8, 1.22.1  │ golang: net/http/cookiejar: incorrect forwarding of          │
│                            │                     │          │        │                   │                 │ sensitive headers and cookies on HTTP redirect...            │
│                            │                     │          │        │                   │                 │ https://avd.aquasec.com/nvd/cve-2023-45289                   │
│                            ├─────────────────────┤          │        │                   │                 ├──────────────────────────────────────────────────────────────┤
│                            │ CVE-2023-45290      │          │        │                   │                 │ golang: net/http: memory exhaustion in                       │
│                            │                     │          │        │                   │                 │ Request.ParseMultipartForm                                   │
│                            │                     │          │        │                   │                 │ https://avd.aquasec.com/nvd/cve-2023-45290                   │
│                            ├─────────────────────┤          │        │                   │                 ├──────────────────────────────────────────────────────────────┤
│                            │ CVE-2024-24783      │          │        │                   │                 │ golang: crypto/x509: Verify panics on certificates with an   │
│                            │                     │          │        │                   │                 │ unknown public key algorithm...                              │
│                            │                     │          │        │                   │                 │ https://avd.aquasec.com/nvd/cve-2024-24783                   │
│                            ├─────────────────────┤          │        │                   │                 ├──────────────────────────────────────────────────────────────┤
│                            │ CVE-2024-24784      │          │        │                   │                 │ golang: net/mail: comments in display names are incorrectly  │
│                            │                     │          │        │                   │                 │ handled                                                      │
│                            │                     │          │        │                   │                 │ https://avd.aquasec.com/nvd/cve-2024-24784                   │
│                            ├─────────────────────┤          │        │                   │                 ├──────────────────────────────────────────────────────────────┤
│                            │ CVE-2024-24785      │          │        │                   │                 │ golang: html/template: errors returned from MarshalJSON      │
│                            │                     │          │        │                   │                 │ methods may break template escaping                          │
│                            │                     │          │        │                   │                 │ https://avd.aquasec.com/nvd/cve-2024-24785                   │
│                            ├─────────────────────┤          │        │                   ├─────────────────┼──────────────────────────────────────────────────────────────┤
│                            │ CVE-2024-24789      │          │        │                   │ 1.21.11, 1.22.4 │ golang: archive/zip: Incorrect handling of certain ZIP files │
│                            │                     │          │        │                   │                 │ https://avd.aquasec.com/nvd/cve-2024-24789                   │
│                            ├─────────────────────┤          │        │                   ├─────────────────┼──────────────────────────────────────────────────────────────┤
│                            │ CVE-2024-24791      │          │        │                   │ 1.21.12, 1.22.5 │ net/http: Denial of service due to improper 100-continue     │
│                            │                     │          │        │                   │                 │ handling in net/http                                         │
│                            │                     │          │        │                   │                 │ https://avd.aquasec.com/nvd/cve-2024-24791                   │
│                            ├─────────────────────┤          │        │                   ├─────────────────┼──────────────────────────────────────────────────────────────┤
│                            │ CVE-2024-34155      │          │        │                   │ 1.22.7, 1.23.1  │ go/parser: golang: Calling any of the Parse functions        │
│                            │                     │          │        │                   │                 │ containing deeply nested literals...                         │
│                            │                     │          │        │                   │                 │ https://avd.aquasec.com/nvd/cve-2024-34155                   │
│                            ├─────────────────────┤          │        │                   │                 ├──────────────────────────────────────────────────────────────┤
│                            │ CVE-2024-34158      │          │        │                   │                 │ go/build/constraint: golang: Calling Parse on a "// +build"  │
│                            │                     │          │        │                   │                 │ build tag line with...                                       │
│                            │                     │          │        │                   │                 │ https://avd.aquasec.com/nvd/cve-2024-34158                   │
└────────────────────────────┴─────────────────────┴──────────┴────────┴───────────────────┴─────────────────┴──────────────────────────────────────────────────────────────┘

bin/amtool (gobinary)

Total: 14 (UNKNOWN: 0, LOW: 0, MEDIUM: 11, HIGH: 2, CRITICAL: 1)

┌────────────────────────────┬────────────────┬──────────┬────────┬───────────────────┬─────────────────┬──────────────────────────────────────────────────────────────┐
│          Library           │ Vulnerability  │ Severity │ Status │ Installed Version │  Fixed Version  │                            Title                             │
├────────────────────────────┼────────────────┼──────────┼────────┼───────────────────┼─────────────────┼──────────────────────────────────────────────────────────────┤
│ golang.org/x/net           │ CVE-2023-45288 │ MEDIUM   │ fixed  │ v0.20.0           │ 0.23.0          │ golang: net/http, x/net/http2: unlimited number of           │
│                            │                │          │        │                   │                 │ CONTINUATION frames causes DoS                               │
│                            │                │          │        │                   │                 │ https://avd.aquasec.com/nvd/cve-2023-45288                   │
├────────────────────────────┼────────────────┤          │        ├───────────────────┼─────────────────┼──────────────────────────────────────────────────────────────┤
│ google.golang.org/protobuf │ CVE-2024-24786 │          │        │ v1.32.0           │ 1.33.0          │ golang-protobuf: encoding/protojson, internal/encoding/json: │
│                            │                │          │        │                   │                 │ infinite loop in protojson.Unmarshal when unmarshaling       │
│                            │                │          │        │                   │                 │ certain forms of...                                          │
│                            │                │          │        │                   │                 │ https://avd.aquasec.com/nvd/cve-2024-24786                   │
├────────────────────────────┼────────────────┼──────────┤        ├───────────────────┼─────────────────┼──────────────────────────────────────────────────────────────┤
│ stdlib                     │ CVE-2024-24790 │ CRITICAL │        │ 1.21.7            │ 1.21.11, 1.22.4 │ golang: net/netip: Unexpected behavior from Is methods for   │
│                            │                │          │        │                   │                 │ IPv4-mapped IPv6 addresses                                   │
│                            │                │          │        │                   │                 │ https://avd.aquasec.com/nvd/cve-2024-24790                   │
│                            ├────────────────┼──────────┤        │                   ├─────────────────┼──────────────────────────────────────────────────────────────┤
│                            │ CVE-2023-45288 │ HIGH     │        │                   │ 1.21.9, 1.22.2  │ golang: net/http, x/net/http2: unlimited number of           │
│                            │                │          │        │                   │                 │ CONTINUATION frames causes DoS                               │
│                            │                │          │        │                   │                 │ https://avd.aquasec.com/nvd/cve-2023-45288                   │
│                            ├────────────────┤          │        │                   ├─────────────────┼──────────────────────────────────────────────────────────────┤
│                            │ CVE-2024-34156 │          │        │                   │ 1.22.7, 1.23.1  │ encoding/gob: golang: Calling Decoder.Decode on a message    │
│                            │                │          │        │                   │                 │ which contains deeply nested structures...                   │
│                            │                │          │        │                   │                 │ https://avd.aquasec.com/nvd/cve-2024-34156                   │
│                            ├────────────────┼──────────┤        │                   ├─────────────────┼──────────────────────────────────────────────────────────────┤
│                            │ CVE-2023-45289 │ MEDIUM   │        │                   │ 1.21.8, 1.22.1  │ golang: net/http/cookiejar: incorrect forwarding of          │
│                            │                │          │        │                   │                 │ sensitive headers and cookies on HTTP redirect...            │
│                            │                │          │        │                   │                 │ https://avd.aquasec.com/nvd/cve-2023-45289                   │
│                            ├────────────────┤          │        │                   │                 ├──────────────────────────────────────────────────────────────┤
│                            │ CVE-2023-45290 │          │        │                   │                 │ golang: net/http: memory exhaustion in                       │
│                            │                │          │        │                   │                 │ Request.ParseMultipartForm                                   │
│                            │                │          │        │                   │                 │ https://avd.aquasec.com/nvd/cve-2023-45290                   │
│                            ├────────────────┤          │        │                   │                 ├──────────────────────────────────────────────────────────────┤
│                            │ CVE-2024-24783 │          │        │                   │                 │ golang: crypto/x509: Verify panics on certificates with an   │
│                            │                │          │        │                   │                 │ unknown public key algorithm...                              │
│                            │                │          │        │                   │                 │ https://avd.aquasec.com/nvd/cve-2024-24783                   │
│                            ├────────────────┤          │        │                   │                 ├──────────────────────────────────────────────────────────────┤
│                            │ CVE-2024-24784 │          │        │                   │                 │ golang: net/mail: comments in display names are incorrectly  │
│                            │                │          │        │                   │                 │ handled                                                      │
│                            │                │          │        │                   │                 │ https://avd.aquasec.com/nvd/cve-2024-24784                   │
│                            ├────────────────┤          │        │                   │                 ├──────────────────────────────────────────────────────────────┤
│                            │ CVE-2024-24785 │          │        │                   │                 │ golang: html/template: errors returned from MarshalJSON      │
│                            │                │          │        │                   │                 │ methods may break template escaping                          │
│                            │                │          │        │                   │                 │ https://avd.aquasec.com/nvd/cve-2024-24785                   │
│                            ├────────────────┤          │        │                   ├─────────────────┼──────────────────────────────────────────────────────────────┤
│                            │ CVE-2024-24789 │          │        │                   │ 1.21.11, 1.22.4 │ golang: archive/zip: Incorrect handling of certain ZIP files │
│                            │                │          │        │                   │                 │ https://avd.aquasec.com/nvd/cve-2024-24789                   │
│                            ├────────────────┤          │        │                   ├─────────────────┼──────────────────────────────────────────────────────────────┤
│                            │ CVE-2024-24791 │          │        │                   │ 1.21.12, 1.22.5 │ net/http: Denial of service due to improper 100-continue     │
│                            │                │          │        │                   │                 │ handling in net/http                                         │
│                            │                │          │        │                   │                 │ https://avd.aquasec.com/nvd/cve-2024-24791                   │
│                            ├────────────────┤          │        │                   ├─────────────────┼──────────────────────────────────────────────────────────────┤
│                            │ CVE-2024-34155 │          │        │                   │ 1.22.7, 1.23.1  │ go/parser: golang: Calling any of the Parse functions        │
│                            │                │          │        │                   │                 │ containing deeply nested literals...                         │
│                            │                │          │        │                   │                 │ https://avd.aquasec.com/nvd/cve-2024-34155                   │
│                            ├────────────────┤          │        │                   │                 ├──────────────────────────────────────────────────────────────┤
│                            │ CVE-2024-34158 │          │        │                   │                 │ go/build/constraint: golang: Calling Parse on a "// +build"  │
│                            │                │          │        │                   │                 │ build tag line with...                                       │
│                            │                │          │        │                   │                 │ https://avd.aquasec.com/nvd/cve-2024-34158                   │
└────────────────────────────┴────────────────┴──────────┴────────┴───────────────────┴─────────────────┴───────────────────────────────────────────────

Steps to reproduce:

  1. Run the following command to scan the Docker image for vulnerabilities:
    trivy --scanners vuln image quay.io/prometheus/alertmanager:v0.27.0
  2. Observe the listed vulnerabilities and their details.

Possible Solution:
Update the dependencies in the Alertmanager image to resolve the identified vulnerabilities. For instance:

  1. Update golang.org/x/net to at least version 0.23.0
  2. Update google.golang.org/protobuf to at least version 1.33.0
  3. Other library updates as per the vulnerability details.
@grobinson-grafana grobinson-grafana mentioned this issue Sep 18, 2024
Open
@vvxxvvxx
Copy link

Hi, do you have a plan to fix golang.org/x/net CVE-2023-45288 vulnerability?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@vvxxvvxx @arokade-px