Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Please cut a new release to address CVEs affecting the IsLoopback function used in node_exporter #3154

Open
PelagicGames opened this issue Oct 14, 2024 · 3 comments

Comments

@PelagicGames
Copy link

Host operating system: output of uname -a

n/a

node_exporter version: output of node_exporter --version

1.8.2

node_exporter command line flags

n/a

node_exporter log output

n/a

Are you running node_exporter in Docker?

Yes

What did you do that produced an error?

trivy scan highlights CVEs, with at least one impacting node_exporter:

What did you expect to see?

Clean scan

What did you see instead?

CVEs that have been resolved in master on HEAD, but not in latest release

@discordianfish
Copy link
Member

They are not exploitable.

@mykaul
Copy link

mykaul commented Nov 4, 2024

Thanks @discordianfish for confirming. However, I find it sometimes easier to build a new release than explain that a vulnerability is not exploitable.
This is what I've got the last time I've ran (snippet):

ykaul@ykaul:~$ trivy repository https://github.com/prometheus/node_exporter --branch release-1.8 --scanners vuln   --detection-priority comprehensive
2024-10-29T17:19:29+02:00	INFO	[vuln] Vulnerability scanning is enabled
Enumerating objects: 6544, done.
Counting objects: 100% (6544/6544), done.
Compressing objects: 100% (3536/3536), done.
Total 6544 (delta 3343), reused 5501 (delta 2547), pack-reused 0 (from 0)
2024-10-29T17:19:32+02:00	INFO	Number of language-specific files	num=1
2024-10-29T17:19:32+02:00	INFO	[gomod] Detecting vulnerabilities...
2024-10-29T17:19:32+02:00	WARN	Using severities from other vendors for some vulnerabilities. Read https://aquasecurity.github.io/trivy/v0.56/docs/scanner/vulnerability#severity-selection for details.

go.mod (gomod)

Total: 20 (UNKNOWN: 0, LOW: 0, MEDIUM: 13, HIGH: 6, CRITICAL: 1)

┌─────────┬────────────────┬──────────┬────────┬───────────────────┬──────────────────────────────────┬──────────────────────────────────────────────────────────────┐
│ Library │ Vulnerability  │ Severity │ Status │ Installed Version │          Fixed Version           │                            Title                             │
├─────────┼────────────────┼──────────┼────────┼───────────────────┼──────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ stdlib  │ CVE-2024-24790 │ CRITICAL │ fixed  │ 1.21.0            │ 1.21.11, 1.22.4                  │ golang: net/netip: Unexpected behavior from Is methods for   │
│         │                │          │        │                   │                                  │ IPv4-mapped IPv6 addresses                                   │
│         │                │          │        │                   │                                  │ https://avd.aquasec.com/nvd/cve-2024-24790                   │
│         ├────────────────┼──────────┤        │                   ├──────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│         │ CVE-2023-39321 │ HIGH     │        │                   │ 1.21.1                           │ golang: crypto/tls: panic when processing post-handshake     │
│         │                │          │        │                   │                                  │ message on QUIC connections                                  │
│         │                │          │        │                   │                                  │ https://avd.aquasec.com/nvd/cve-2023-39321                   │
│         ├────────────────┤          │        │                   │                                  ├──────────────────────────────────────────────────────────────┤
│         │ CVE-2023-39322 │          │        │                   │                                  │ golang: crypto/tls: lack of a limit on buffered              │
│         │                │          │        │                   │                                  │ post-handshake                                               │
│         │                │          │        │                   │                                  │ https://avd.aquasec.com/nvd/cve-2023-39322                   │
│         ├────────────────┤          │        │                   ├──────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│         │ CVE-2023-39325 │          │        │                   │ 1.20.10, 1.21.3                  │ golang: net/http, x/net/http2: rapid stream resets can cause │
│         │                │          │        │                   │                                  │ excessive work (CVE-2023-44487)                              │
│         │                │          │        │                   │                                  │ https://avd.aquasec.com/nvd/cve-2023-39325                   │
│         ├────────────────┤          │        │                   ├──────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│         │ CVE-2023-45283 │          │        │                   │ 1.20.11, 1.21.4, 1.20.12, 1.21.5 │ The filepath package does not recognize paths with a \??\    │
│         │                │          │        │                   │                                  │ prefix as...                                                 │
│         │                │          │        │                   │                                  │ https://avd.aquasec.com/nvd/cve-2023-45283                   │
│         ├────────────────┤          │        │                   ├──────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│         │ CVE-2023-45288 │          │        │                   │ 1.21.9, 1.22.2                   │ golang: net/http, x/net/http2: unlimited number of           │
│         │                │          │        │                   │                                  │ CONTINUATION frames causes DoS                               │
│         │                │          │        │                   │                                  │ https://avd.aquasec.com/nvd/cve-2023-45288                   │
│         ├────────────────┤          │        │                   ├──────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│         │ CVE-2024-34156 │          │        │                   │ 1.22.7, 1.23.1                   │ encoding/gob: golang: Calling Decoder.Decode on a message    │
│         │                │          │        │                   │                                  │ which contains deeply nested structures...                   │
│         │                │          │        │                   │                                  │ https://avd.aquasec.com/nvd/cve-2024-34156                   │

@martidelviscovo
Copy link

Any news on this? or a forecast on when this will happen? Thanks!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

4 participants