client_golang icon indicating copy to clipboard operation
client_golang copied to clipboard

Published 20 hours ago verified publisher icon prometheus

Bump x/net, prometheus/common deps to avoid GO-2023-1495 and GO-2022-1144 govuln warnings

Open xxgreg opened this issue 2 years ago • 4 comments

I've started using govulncheck in my project and I'm getting warnings due to the following dependency chain:

github.com/prometheus/client_golang v1.14.0 github.com/prometheus/common v0.37.0 golang.org/x/net/[email protected]

It looks like there's a newer version of prometheus/common which has bumped the x/net dependency. I assume the fix is for prometheus/client_golang to bump the prometheus/common dep.

Vulnerability #1: GO-2023-1495
  A request smuggling attack is possible when using
  MaxBytesHandler. When using MaxBytesHandler, the body of an HTTP
  request is not fully consumed. When the server attempts to read
  HTTP2 frames from the connection, it will instead be reading the
  body of the HTTP request, which could be attacker-manipulated to
  represent arbitrary HTTP2 requests.

  Call stacks in your code:
      <snip> calls github.com/uber-go/tally/v4/prometheus.Configuration.NewReporter, which eventually calls golang.org/x/net/http2/h2c.h2cHandler.ServeHTTP

  Found in: golang.org/x/net/http2/[email protected]
  Fixed in: golang.org/x/net/http2/[email protected]
  More info: https://pkg.go.dev/vuln/GO-2023-1495

Vulnerability #2: GO-2022-1144
  An attacker can cause excessive memory growth in a Go server
  accepting HTTP/2 requests. HTTP/2 server connections contain a
  cache of HTTP header keys sent by the client. While the total
  number of entries in this cache is capped, an attacker sending
  very large keys can cause the server to allocate approximately
  64 MiB per open connection.

  Call stacks in your code:
      <snip> calls github.com/uber-go/tally/v4/prometheus.Configuration.NewReporter, which eventually calls golang.org/x/net/http2.Server.ServeConn

  Found in: golang.org/x/net/[email protected]
  Fixed in: golang.org/x/net/[email protected]
  More info: https://pkg.go.dev/vuln/GO-2022-1144

xxgreg avatar Jan 18 '23 04:01 xxgreg

This is bothering me as well, is it possible to release an update?

cmur2 avatar Feb 14 '23 12:02 cmur2

Also popped up for my projects

foosinn avatar Mar 10 '23 10:03 foosinn

Dependencies are regularly updated in the main branch (and in fact, github.com/prometheus/common has been updated multiple times). Any new release cut will include those updates (and you are free to build from the head of the main branch yourself, of course).

We would only cut a bugfix release for those if they actually affect prometheus/client_golang. I doubt that any of the vulnerable code is actually called through anything in prometheus/client_golang, but we would love to hear if that assessment is wrong (in which case a bugfix release should be cut).

beorn7 avatar Mar 16 '23 12:03 beorn7

Hello 👋 Looks like there was no activity on this issue for the last 3 months. Do you mind updating us on the status? Is this still reproducible or needed? If yes, just comment on this PR or push a commit. Thanks! 🤗 If there will be no activity in the next 4 weeks, this issue will be closed (we can always reopen an issue if we need!).

stale[bot] avatar Sep 17 '23 05:09 stale[bot]