alertmanager
alertmanager copied to clipboard
Published
20 hours ago •
prometheus
prometheus
Security Vulnerabilities in prometheus/alertmanager:v0.27.0
The security scan of the Prometheus Alertmanager image quay.io/prometheus/alertmanager:v0.27.0 has identified multiple vulnerabilities. These issues need to be addressed to ensure the security of the Alertmanager deployment.
What did you do? Performed a vulnerability scan using Aqua Security’s Trivy tool on the quay.io/prometheus/alertmanager:v0.27.0 image.
What did you expect to see? An image without critical security vulnerabilities or a clear path for remediation.
What did you see instead? Under which circumstances?
# trivy --scanners vuln image quay.io/prometheus/alertmanager:v0.27.0
2024-09-12T08:26:14Z INFO [vuln] Vulnerability scanning is enabled
2024-09-12T08:26:15Z INFO Number of language-specific files num=2
2024-09-12T08:26:15Z INFO [gobinary] Detecting vulnerabilities...
2024-09-12T08:26:15Z WARN Using severities from other vendors for some vulnerabilities. Read https://aquasecurity.github.io/trivy/v0.55/docs/scanner/vulnerability#severity-selection for details.
bin/alertmanager (gobinary)
Total: 15 (UNKNOWN: 0, LOW: 0, MEDIUM: 12, HIGH: 2, CRITICAL: 1)
┌────────────────────────────┬─────────────────────┬──────────┬────────┬───────────────────┬─────────────────┬──────────────────────────────────────────────────────────────┐
│ Library │ Vulnerability │ Severity │ Status │ Installed Version │ Fixed Version │ Title │
├────────────────────────────┼─────────────────────┼──────────┼────────┼───────────────────┼─────────────────┼──────────────────────────────────────────────────────────────┤
│ github.com/rs/cors │ GHSA-mh55-gqvf-xfwm │ MEDIUM │ fixed │ v1.10.1 │ 1.11.0 │ Denial of service via malicious preflight requests in │
│ │ │ │ │ │ │ github.com/rs/cors │
│ │ │ │ │ │ │ https://github.com/advisories/GHSA-mh55-gqvf-xfwm │
├────────────────────────────┼─────────────────────┤ │ ├───────────────────┼─────────────────┼──────────────────────────────────────────────────────────────┤
│ golang.org/x/net │ CVE-2023-45288 │ │ │ v0.20.0 │ 0.23.0 │ golang: net/http, x/net/http2: unlimited number of │
│ │ │ │ │ │ │ CONTINUATION frames causes DoS │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-45288 │
├────────────────────────────┼─────────────────────┤ │ ├───────────────────┼─────────────────┼──────────────────────────────────────────────────────────────┤
│ google.golang.org/protobuf │ CVE-2024-24786 │ │ │ v1.32.0 │ 1.33.0 │ golang-protobuf: encoding/protojson, internal/encoding/json: │
│ │ │ │ │ │ │ infinite loop in protojson.Unmarshal when unmarshaling │
│ │ │ │ │ │ │ certain forms of... │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2024-24786 │
├────────────────────────────┼─────────────────────┼──────────┤ ├───────────────────┼─────────────────┼──────────────────────────────────────────────────────────────┤
│ stdlib │ CVE-2024-24790 │ CRITICAL │ │ 1.21.7 │ 1.21.11, 1.22.4 │ golang: net/netip: Unexpected behavior from Is methods for │
│ │ │ │ │ │ │ IPv4-mapped IPv6 addresses │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2024-24790 │
│ ├─────────────────────┼──────────┤ │ ├─────────────────┼──────────────────────────────────────────────────────────────┤
│ │ CVE-2023-45288 │ HIGH │ │ │ 1.21.9, 1.22.2 │ golang: net/http, x/net/http2: unlimited number of │
│ │ │ │ │ │ │ CONTINUATION frames causes DoS │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-45288 │
│ ├─────────────────────┤ │ │ ├─────────────────┼──────────────────────────────────────────────────────────────┤
│ │ CVE-2024-34156 │ │ │ │ 1.22.7, 1.23.1 │ encoding/gob: golang: Calling Decoder.Decode on a message │
│ │ │ │ │ │ │ which contains deeply nested structures... │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2024-34156 │
│ ├─────────────────────┼──────────┤ │ ├─────────────────┼──────────────────────────────────────────────────────────────┤
│ │ CVE-2023-45289 │ MEDIUM │ │ │ 1.21.8, 1.22.1 │ golang: net/http/cookiejar: incorrect forwarding of │
│ │ │ │ │ │ │ sensitive headers and cookies on HTTP redirect... │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-45289 │
│ ├─────────────────────┤ │ │ │ ├──────────────────────────────────────────────────────────────┤
│ │ CVE-2023-45290 │ │ │ │ │ golang: net/http: memory exhaustion in │
│ │ │ │ │ │ │ Request.ParseMultipartForm │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-45290 │
│ ├─────────────────────┤ │ │ │ ├──────────────────────────────────────────────────────────────┤
│ │ CVE-2024-24783 │ │ │ │ │ golang: crypto/x509: Verify panics on certificates with an │
│ │ │ │ │ │ │ unknown public key algorithm... │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2024-24783 │
│ ├─────────────────────┤ │ │ │ ├──────────────────────────────────────────────────────────────┤
│ │ CVE-2024-24784 │ │ │ │ │ golang: net/mail: comments in display names are incorrectly │
│ │ │ │ │ │ │ handled │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2024-24784 │
│ ├─────────────────────┤ │ │ │ ├──────────────────────────────────────────────────────────────┤
│ │ CVE-2024-24785 │ │ │ │ │ golang: html/template: errors returned from MarshalJSON │
│ │ │ │ │ │ │ methods may break template escaping │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2024-24785 │
│ ├─────────────────────┤ │ │ ├─────────────────┼──────────────────────────────────────────────────────────────┤
│ │ CVE-2024-24789 │ │ │ │ 1.21.11, 1.22.4 │ golang: archive/zip: Incorrect handling of certain ZIP files │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2024-24789 │
│ ├─────────────────────┤ │ │ ├─────────────────┼──────────────────────────────────────────────────────────────┤
│ │ CVE-2024-24791 │ │ │ │ 1.21.12, 1.22.5 │ net/http: Denial of service due to improper 100-continue │
│ │ │ │ │ │ │ handling in net/http │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2024-24791 │
│ ├─────────────────────┤ │ │ ├─────────────────┼──────────────────────────────────────────────────────────────┤
│ │ CVE-2024-34155 │ │ │ │ 1.22.7, 1.23.1 │ go/parser: golang: Calling any of the Parse functions │
│ │ │ │ │ │ │ containing deeply nested literals... │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2024-34155 │
│ ├─────────────────────┤ │ │ │ ├──────────────────────────────────────────────────────────────┤
│ │ CVE-2024-34158 │ │ │ │ │ go/build/constraint: golang: Calling Parse on a "// +build" │
│ │ │ │ │ │ │ build tag line with... │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2024-34158 │
└────────────────────────────┴─────────────────────┴──────────┴────────┴───────────────────┴─────────────────┴──────────────────────────────────────────────────────────────┘
bin/amtool (gobinary)
Total: 14 (UNKNOWN: 0, LOW: 0, MEDIUM: 11, HIGH: 2, CRITICAL: 1)
┌────────────────────────────┬────────────────┬──────────┬────────┬───────────────────┬─────────────────┬──────────────────────────────────────────────────────────────┐
│ Library │ Vulnerability │ Severity │ Status │ Installed Version │ Fixed Version │ Title │
├────────────────────────────┼────────────────┼──────────┼────────┼───────────────────┼─────────────────┼──────────────────────────────────────────────────────────────┤
│ golang.org/x/net │ CVE-2023-45288 │ MEDIUM │ fixed │ v0.20.0 │ 0.23.0 │ golang: net/http, x/net/http2: unlimited number of │
│ │ │ │ │ │ │ CONTINUATION frames causes DoS │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-45288 │
├────────────────────────────┼────────────────┤ │ ├───────────────────┼─────────────────┼──────────────────────────────────────────────────────────────┤
│ google.golang.org/protobuf │ CVE-2024-24786 │ │ │ v1.32.0 │ 1.33.0 │ golang-protobuf: encoding/protojson, internal/encoding/json: │
│ │ │ │ │ │ │ infinite loop in protojson.Unmarshal when unmarshaling │
│ │ │ │ │ │ │ certain forms of... │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2024-24786 │
├────────────────────────────┼────────────────┼──────────┤ ├───────────────────┼─────────────────┼──────────────────────────────────────────────────────────────┤
│ stdlib │ CVE-2024-24790 │ CRITICAL │ │ 1.21.7 │ 1.21.11, 1.22.4 │ golang: net/netip: Unexpected behavior from Is methods for │
│ │ │ │ │ │ │ IPv4-mapped IPv6 addresses │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2024-24790 │
│ ├────────────────┼──────────┤ │ ├─────────────────┼──────────────────────────────────────────────────────────────┤
│ │ CVE-2023-45288 │ HIGH │ │ │ 1.21.9, 1.22.2 │ golang: net/http, x/net/http2: unlimited number of │
│ │ │ │ │ │ │ CONTINUATION frames causes DoS │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-45288 │
│ ├────────────────┤ │ │ ├─────────────────┼──────────────────────────────────────────────────────────────┤
│ │ CVE-2024-34156 │ │ │ │ 1.22.7, 1.23.1 │ encoding/gob: golang: Calling Decoder.Decode on a message │
│ │ │ │ │ │ │ which contains deeply nested structures... │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2024-34156 │
│ ├────────────────┼──────────┤ │ ├─────────────────┼──────────────────────────────────────────────────────────────┤
│ │ CVE-2023-45289 │ MEDIUM │ │ │ 1.21.8, 1.22.1 │ golang: net/http/cookiejar: incorrect forwarding of │
│ │ │ │ │ │ │ sensitive headers and cookies on HTTP redirect... │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-45289 │
│ ├────────────────┤ │ │ │ ├──────────────────────────────────────────────────────────────┤
│ │ CVE-2023-45290 │ │ │ │ │ golang: net/http: memory exhaustion in │
│ │ │ │ │ │ │ Request.ParseMultipartForm │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-45290 │
│ ├────────────────┤ │ │ │ ├──────────────────────────────────────────────────────────────┤
│ │ CVE-2024-24783 │ │ │ │ │ golang: crypto/x509: Verify panics on certificates with an │
│ │ │ │ │ │ │ unknown public key algorithm... │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2024-24783 │
│ ├────────────────┤ │ │ │ ├──────────────────────────────────────────────────────────────┤
│ │ CVE-2024-24784 │ │ │ │ │ golang: net/mail: comments in display names are incorrectly │
│ │ │ │ │ │ │ handled │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2024-24784 │
│ ├────────────────┤ │ │ │ ├──────────────────────────────────────────────────────────────┤
│ │ CVE-2024-24785 │ │ │ │ │ golang: html/template: errors returned from MarshalJSON │
│ │ │ │ │ │ │ methods may break template escaping │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2024-24785 │
│ ├────────────────┤ │ │ ├─────────────────┼──────────────────────────────────────────────────────────────┤
│ │ CVE-2024-24789 │ │ │ │ 1.21.11, 1.22.4 │ golang: archive/zip: Incorrect handling of certain ZIP files │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2024-24789 │
│ ├────────────────┤ │ │ ├─────────────────┼──────────────────────────────────────────────────────────────┤
│ │ CVE-2024-24791 │ │ │ │ 1.21.12, 1.22.5 │ net/http: Denial of service due to improper 100-continue │
│ │ │ │ │ │ │ handling in net/http │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2024-24791 │
│ ├────────────────┤ │ │ ├─────────────────┼──────────────────────────────────────────────────────────────┤
│ │ CVE-2024-34155 │ │ │ │ 1.22.7, 1.23.1 │ go/parser: golang: Calling any of the Parse functions │
│ │ │ │ │ │ │ containing deeply nested literals... │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2024-34155 │
│ ├────────────────┤ │ │ │ ├──────────────────────────────────────────────────────────────┤
│ │ CVE-2024-34158 │ │ │ │ │ go/build/constraint: golang: Calling Parse on a "// +build" │
│ │ │ │ │ │ │ build tag line with... │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2024-34158 │
└────────────────────────────┴────────────────┴──────────┴────────┴───────────────────┴─────────────────┴───────────────────────────────────────────────
Steps to reproduce:
- Run the following command to scan the Docker image for vulnerabilities:
trivy --scanners vuln image quay.io/prometheus/alertmanager:v0.27.0 - Observe the listed vulnerabilities and their details.
Possible Solution: Update the dependencies in the Alertmanager image to resolve the identified vulnerabilities. For instance:
- Update golang.org/x/net to at least version 0.23.0
- Update google.golang.org/protobuf to at least version 1.33.0
- Other library updates as per the vulnerability details.
Hi, do you have a plan to fix golang.org/x/net CVE-2023-45288 vulnerability?
Same here, ou security tools are flagging alertmanager with those CVEs:
- CVE-2024-45337 - golang.org/x/crypto, golang.org/x/crypto
- CVE-2024-24790 - go/stdlib, go/stdlib
- CVE-2025-22871 - go/stdlib, go/stdlib
We suppressed them for now, but it will be nice to have an updated version of alertmanager, specially that golangalready released versions fixing those CVEs.
Please do not report raw vulnerability scanner results. They are prone to false positives and cause the Prometheus team toil in verifying. Please verify vulnerability reports and include specific details as to which components are directly exploitable.
https://prometheus.io/docs/operating/security/#automated-security-scanners
Also latest release is v0.29.0 by now
