Bug 2045880 (CVE-2022-21698) - CVE-2022-21698 prometheus/client_golang: Denial of service using InstrumentHandlerCounter
Summary: CVE-2022-21698 prometheus/client_golang: Denial of service using InstrumentHa...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2022-21698
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 2047628 2051848 2056104 2067346 2067347 2067349 2067350 2067351 2067352 2067353 2067354 2067355 2067356 2067390 2067393 2067394 2067395 2067396 2067397 2067398 2067399 2067401 2067402 2067403 2067404 2067405 2067406 2067407 2067409 2067410 2067411 2067412 2067413 2067416 2067420 2067421 2067423 2067426 2067427 2067428 2067429 2067430 2067431 2067432 2067433 2067434 2067435 2067436 2067437 2067438 2067439 2067440 2067441 2067442 2067443 2067444 2067445 2067447 2067455 2067466 2067467 2067468 2067469 2067471 2067472 2067475 2067736 2067744 2067753 2067754 2067766 2067767 2067768 2067779 2067780 2067784 2067785 2067799 2067802 2067804 2067807 2067812 2067817 2067818 2067819 2067835 2067837 2067840 2067842 2067845 2067846 2067847 2067848 2067850 2067861 2067862 2067863 2067866 2067867 2067876 2067882 2067883 2067885 2067887 2067889 2067890 2067892 2067898 2067902 2067907 2067914 2067931 2067936 2068152 2068160 2068163 2068230 2070587 2070589 2070590 2070592 2070593 2070597 2070598 2070599 2107983 2047626 2067348 2067357 2067358 2067359 2067360 2067361 2067362 2067363 2067364 2067365 2067366 2067367 2067368 2067369 2067370 2067371 2067372 2067373 2067374 2067375 2067376 2067377 2067378 2067379 2067380 2067381 2067382 2067383 2067385 2067386 2067389 2067391 2067392 2067400 2067414 2067415 2067417 2067418 2067419 2067422 2067424 2067425 2067446 2067448 2067449 2067450 2067451 2067452 2067453 2067454 2067457 2067473 2067474 2067476 2067477 2067478 2067479 2067480 2067706 2067731 2067732 2067733 2067734 2067735 2067737 2067738 2067739 2067740 2067741 2067742 2067743 2067745 2067746 2067747 2067748 2067749 2067750 2067751 2067752 2067755 2067756 2067757 2067758 2067759 2067760 2067761 2067762 2067763 2067764 2067765 2067769 2067775 2067776 2067777 2067778 2067781 2067782 2067783 2067786 2067787 2067788 2067789 2067790 2067791 2067792 2067793 2067794 2067795 2067796 2067797 2067798 2067800 2067801 2067803 2067805 2067806 2067808 2067809 2067810 2067811 2067813 2067814 2067816 2067820 2067821 2067822 2067823 2067824 2067825 2067826 2067827 2067828 2067829 2067830 2067831 2067832 2067833 2067834 2067836 2067838 2067839 2067841 2067843 2067844 2067849 2067851 2067852 2067853 2067854 2067855 2067856 2067857 2067859 2067860 2067864 2067865 2067868 2067869 2067870 2067871 2067872 2067873 2067874 2067875 2067877 2067878 2067879 2067880 2067881 2067884 2067886 2067888 2067891 2067893 2067894 2067895 2067896 2067899 2067901 2067903 2067904 2067905 2067906 2067908 2067909 2067910 2067911 2067912 2067913 2067915 2067916 2067917 2067919 2067920 2067921 2067922 2067923 2067924 2067925 2067926 2067927 2067928 2067929 2067930 2067932 2067933 2067934 2067935 2067937 2067938 2067939 2067940 2067941 2067942 2067943 2067944 2068150 2068151 2068153 2068154 2068155 2068156 2068157 2068158 2068159 2068161 2068162 2068164 2068165 2068166 2068167 2068168 2068169 2068232 2071538 2073167 2077498
Blocks: 2045882
TreeView+ depends on / blocked
 
Reported: 2022-01-25 20:36 UTC by Pedro Sampaio
Modified: 2022-08-10 13:14 UTC (History)
211 users (show)

Fixed In Version: prometheus/client_golang 1.11.1
Doc Type: If docs needed, set a value
Doc Text:
A denial of service attack was found in prometheus/client_golang. This flaw allows an attacker to produce a denial of service attack on an HTTP server by exploiting the InstrumentHandlerCounter function in the version below 1.11.1, resulting in a loss of availability.
Clone Of:
Environment:
Last Closed: 2022-04-21 16:09:55 UTC


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2022:2176 0 None None None 2022-05-11 01:09:26 UTC
Red Hat Product Errata RHSA-2022:1356 0 None None None 2022-04-21 13:15:54 UTC
Red Hat Product Errata RHSA-2022:1461 0 None None None 2022-04-20 22:57:37 UTC
Red Hat Product Errata RHSA-2022:1762 0 None None None 2022-05-10 13:18:07 UTC
Red Hat Product Errata RHSA-2022:2216 0 None None None 2022-05-11 18:50:46 UTC
Red Hat Product Errata RHSA-2022:2217 0 None None None 2022-05-11 20:33:43 UTC
Red Hat Product Errata RHSA-2022:2218 0 None None None 2022-05-11 19:52:22 UTC
Red Hat Product Errata RHSA-2022:2280 0 None None None 2022-05-31 05:42:14 UTC
Red Hat Product Errata RHSA-2022:4667 0 None None None 2022-05-18 15:55:20 UTC
Red Hat Product Errata RHSA-2022:4668 0 None None None 2022-05-18 20:26:54 UTC
Red Hat Product Errata RHSA-2022:5026 0 None None None 2022-06-14 17:42:27 UTC
Red Hat Product Errata RHSA-2022:5068 0 None None None 2022-08-10 10:08:34 UTC
Red Hat Product Errata RHSA-2022:5069 0 None None None 2022-08-10 10:34:18 UTC
Red Hat Product Errata RHSA-2022:5070 0 None None None 2022-08-10 10:23:20 UTC
Red Hat Product Errata RHSA-2022:6040 0 None None None 2022-08-10 13:14:53 UTC
Red Hat Product Errata RHSA-2022:6042 0 None None None 2022-08-10 11:36:36 UTC

Description Pedro Sampaio 2022-01-25 20:36:42 UTC
A malicious actor can in theory kill / DOS a server in Go instrumented using prometheus/client_golang InstrumentHandlerCounter in the version below 1.11.1.

InstrumentHandlerCounter function code:
https://github.com/prometheus/client_golang/blob/22da9497b8f0d53072dfc4721904faa7395d8318/prometheus/promhttp/instrument_server.go#L95

Security advisory:
https://github.com/prometheus/client_golang/security/advisories/GHSA-cg3q-j54f-5p7p

Upstream fix:
https://github.com/prometheus/client_golang/commit/9075cdf61646b5adf54d3ba77a0e4f6c65cb4fd7 [main]
https://github.com/prometheus/client_golang/commit/989baa30fe956631907493ccee1f8e7708660d96 [release-1.11]

Comment 9 Anten Skrabec 2022-03-23 20:26:55 UTC
Created buildah tracking bugs for this issue:

Affects: fedora-34 [bug 2067357]


Created caddy tracking bugs for this issue:

Affects: fedora-34 [bug 2067358]


Created conmon tracking bugs for this issue:

Affects: fedora-34 [bug 2067359]


Created cri-o:1.18/cri-o tracking bugs for this issue:

Affects: fedora-34 [bug 2067360]


Created golang-github-deislabs-oras tracking bugs for this issue:

Affects: fedora-34 [bug 2067361]


Created golang-github-distribution-3 tracking bugs for this issue:

Affects: fedora-34 [bug 2067362]


Created golang-github-docker-compose-on-kubernetes tracking bugs for this issue:

Affects: fedora-34 [bug 2067363]


Created golang-github-docker-distribution tracking bugs for this issue:

Affects: fedora-34 [bug 2067364]


Created golang-github-hashicorp-consul-sdk tracking bugs for this issue:

Affects: fedora-34 [bug 2067365]


Created golang-github-hetznercloud-hcloud tracking bugs for this issue:

Affects: fedora-34 [bug 2067366]


Created golang-github-moby-buildkit tracking bugs for this issue:

Affects: fedora-34 [bug 2067367]


Created golang-github-prometheus tracking bugs for this issue:

Affects: epel-7 [bug 2067351]
Affects: epel-8 [bug 2067354]
Affects: epel-all [bug 2067347]


Created golang-github-prometheus-alertmanager tracking bugs for this issue:

Affects: epel-8 [bug 2067350]


Created golang-github-prometheus-client tracking bugs for this issue:

Affects: fedora-34 [bug 2067368]


Created golang-github-prometheus-node-exporter tracking bugs for this issue:

Affects: epel-7 [bug 2067352]
Affects: epel-8 [bug 2067355]
Affects: epel-all [bug 2067346]


Created golang-github-skynetservices-skydns tracking bugs for this issue:

Affects: fedora-34 [bug 2067369]


Created golang-github-theupdateframework-notary tracking bugs for this issue:

Affects: fedora-34 [bug 2067370]


Created golang-k8s-apiextensions-apiserver tracking bugs for this issue:

Affects: fedora-34 [bug 2067371]


Created golang-k8s-apiserver tracking bugs for this issue:

Affects: fedora-34 [bug 2067372]


Created golang-k8s-cloud-provider tracking bugs for this issue:

Affects: fedora-34 [bug 2067373]


Created golang-k8s-controller-manager tracking bugs for this issue:

Affects: fedora-34 [bug 2067374]


Created golang-k8s-kube-aggregator tracking bugs for this issue:

Affects: fedora-34 [bug 2067375]


Created golang-k8s-kubernetes tracking bugs for this issue:

Affects: fedora-34 [bug 2067376]


Created golang-k8s-legacy-cloud-providers tracking bugs for this issue:

Affects: fedora-34 [bug 2067377]


Created golang-k8s-pod-security-admission tracking bugs for this issue:

Affects: fedora-34 [bug 2067378]


Created golang-k8s-sample-apiserver tracking bugs for this issue:

Affects: fedora-34 [bug 2067379]


Created golang-sigs-k8s-application tracking bugs for this issue:

Affects: fedora-34 [bug 2067380]


Created mantle tracking bugs for this issue:

Affects: epel-7 [bug 2067348]


Created origin tracking bugs for this issue:

Affects: fedora-34 [bug 2067381]


Created podman tracking bugs for this issue:

Affects: fedora-34 [bug 2067382]


Created rclone tracking bugs for this issue:

Affects: epel-7 [bug 2067353]
Affects: epel-8 [bug 2067356]
Affects: epel-all [bug 2067349]


Created skopeo tracking bugs for this issue:

Affects: fedora-34 [bug 2067383]


Created source-to-image tracking bugs for this issue:

Affects: fedora-34 [bug 2067385]


Created stargz-snapshotter tracking bugs for this issue:

Affects: fedora-34 [bug 2067386]

Comment 10 Anten Skrabec 2022-03-23 20:37:38 UTC
Created buildah tracking bugs for this issue:

Affects: fedora-35 [bug 2067422]
Affects: fedora-all [bug 2067389]


Created caddy tracking bugs for this issue:

Affects: fedora-35 [bug 2067423]
Affects: fedora-all [bug 2067390]


Created conmon tracking bugs for this issue:

Affects: fedora-35 [bug 2067424]
Affects: fedora-all [bug 2067391]


Created cri-o:1.18/cri-o tracking bugs for this issue:

Affects: fedora-all [bug 2067392]


Created cri-o:1.20/cri-o tracking bugs for this issue:

Affects: fedora-35 [bug 2067454]


Created cri-o:1.21/cri-o tracking bugs for this issue:

Affects: fedora-35 [bug 2067425]


Created cri-o:1.22/cri-o tracking bugs for this issue:

Affects: fedora-34 [bug 2067451]


Created etcd tracking bugs for this issue:

Affects: openstack-rdo [bug 2067421]


Created golang-github-deislabs-oras tracking bugs for this issue:

Affects: fedora-35 [bug 2067426]
Affects: fedora-all [bug 2067393]


Created golang-github-distribution-3 tracking bugs for this issue:

Affects: fedora-35 [bug 2067427]
Affects: fedora-all [bug 2067394]


Created golang-github-docker-compose-on-kubernetes tracking bugs for this issue:

Affects: fedora-all [bug 2067395]


Created golang-github-docker-distribution tracking bugs for this issue:

Affects: fedora-35 [bug 2067428]
Affects: fedora-all [bug 2067396]


Created golang-github-hashicorp-consul-api tracking bugs for this issue:

Affects: fedora-35 [bug 2067455]
Affects: fedora-all [bug 2067397]


Created golang-github-hashicorp-consul-sdk tracking bugs for this issue:

Affects: fedora-35 [bug 2067429]


Created golang-github-hetznercloud-hcloud tracking bugs for this issue:

Affects: fedora-35 [bug 2067430]
Affects: fedora-all [bug 2067398]


Created golang-github-moby-buildkit tracking bugs for this issue:

Affects: fedora-35 [bug 2067431]
Affects: fedora-all [bug 2067399]


Created golang-github-prometheus-client tracking bugs for this issue:

Affects: fedora-35 [bug 2067432]
Affects: fedora-all [bug 2067400]


Created golang-github-skynetservices-skydns tracking bugs for this issue:

Affects: fedora-35 [bug 2067433]
Affects: fedora-all [bug 2067401]


Created golang-github-theupdateframework-notary tracking bugs for this issue:

Affects: fedora-35 [bug 2067434]
Affects: fedora-all [bug 2067402]


Created golang-helm-3 tracking bugs for this issue:

Affects: fedora-35 [bug 2067435]


Created golang-k8s-apiextensions-apiserver tracking bugs for this issue:

Affects: fedora-35 [bug 2067436]
Affects: fedora-all [bug 2067403]


Created golang-k8s-apiserver tracking bugs for this issue:

Affects: fedora-35 [bug 2067437]
Affects: fedora-all [bug 2067404]


Created golang-k8s-cloud-provider tracking bugs for this issue:

Affects: fedora-35 [bug 2067438]
Affects: fedora-all [bug 2067405]


Created golang-k8s-controller-manager tracking bugs for this issue:

Affects: fedora-35 [bug 2067439]
Affects: fedora-all [bug 2067406]


Created golang-k8s-kube-aggregator tracking bugs for this issue:

Affects: fedora-35 [bug 2067440]
Affects: fedora-all [bug 2067407]


Created golang-k8s-kubernetes tracking bugs for this issue:

Affects: fedora-35 [bug 2067441]
Affects: fedora-all [bug 2067409]


Created golang-k8s-legacy-cloud-providers tracking bugs for this issue:

Affects: fedora-35 [bug 2067442]
Affects: fedora-all [bug 2067410]


Created golang-k8s-pod-security-admission tracking bugs for this issue:

Affects: fedora-35 [bug 2067443]
Affects: fedora-all [bug 2067411]


Created golang-k8s-sample-apiserver tracking bugs for this issue:

Affects: fedora-35 [bug 2067444]
Affects: fedora-all [bug 2067412]


Created golang-sigs-k8s-application tracking bugs for this issue:

Affects: fedora-35 [bug 2067445]
Affects: fedora-all [bug 2067413]


Created grafana tracking bugs for this issue:

Affects: fedora-34 [bug 2067452]
Affects: fedora-35 [bug 2067446]
Affects: fedora-all [bug 2067414]


Created mantle tracking bugs for this issue:

Affects: fedora-34 [bug 2067453]
Affects: fedora-all [bug 2067415]


Created origin tracking bugs for this issue:

Affects: fedora-35 [bug 2067447]
Affects: fedora-all [bug 2067416]


Created podman tracking bugs for this issue:

Affects: fedora-35 [bug 2067448]
Affects: fedora-all [bug 2067417]


Created skopeo tracking bugs for this issue:

Affects: fedora-all [bug 2067418]


Created source-to-image tracking bugs for this issue:

Affects: fedora-35 [bug 2067449]
Affects: fedora-all [bug 2067419]


Created stargz-snapshotter tracking bugs for this issue:

Affects: fedora-35 [bug 2067450]
Affects: fedora-all [bug 2067420]

Comment 11 Anten Skrabec 2022-03-23 20:37:51 UTC
Created cri-o:1.21/cri-o tracking bugs for this issue:

Affects: fedora-34 [bug 2067457]

Comment 15 Anten Skrabec 2022-03-23 23:40:51 UTC
Created golang-github-hashicorp-consul-api tracking bugs for this issue:

Affects: fedora-34 [bug 2067706]

Comment 29 errata-xmlrpc 2022-04-20 22:57:28 UTC
This issue has been addressed in the following products:

  RHOL-5.4-RHEL-8

Via RHSA-2022:1461 https://access.redhat.com/errata/RHSA-2022:1461

Comment 30 errata-xmlrpc 2022-04-21 13:15:44 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.10

Via RHSA-2022:1356 https://access.redhat.com/errata/RHSA-2022:1356

Comment 31 Product Security DevOps Team 2022-04-21 16:09:42 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2022-21698

Comment 33 errata-xmlrpc 2022-05-10 13:18:00 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2022:1762 https://access.redhat.com/errata/RHSA-2022:1762

Comment 35 errata-xmlrpc 2022-05-11 18:50:38 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Logging 5.4

Via RHSA-2022:2216 https://access.redhat.com/errata/RHSA-2022:2216

Comment 36 errata-xmlrpc 2022-05-11 19:52:16 UTC
This issue has been addressed in the following products:

  OpenShift Logging 5.2

Via RHSA-2022:2218 https://access.redhat.com/errata/RHSA-2022:2218

Comment 37 errata-xmlrpc 2022-05-11 20:33:32 UTC
This issue has been addressed in the following products:

  OpenShift Logging 5.3

Via RHSA-2022:2217 https://access.redhat.com/errata/RHSA-2022:2217

Comment 38 errata-xmlrpc 2022-05-18 15:55:12 UTC
This issue has been addressed in the following products:

  RHEL-7-CNV-4.10
  RHEL-8-CNV-4.10

Via RHSA-2022:4667 https://access.redhat.com/errata/RHSA-2022:4667

Comment 39 errata-xmlrpc 2022-05-18 20:26:47 UTC
This issue has been addressed in the following products:

  RHEL-8-CNV-4.10

Via RHSA-2022:4668 https://access.redhat.com/errata/RHSA-2022:4668

Comment 40 errata-xmlrpc 2022-05-31 05:42:06 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 3.11

Via RHSA-2022:2280 https://access.redhat.com/errata/RHSA-2022:2280

Comment 41 errata-xmlrpc 2022-06-14 17:42:17 UTC
This issue has been addressed in the following products:

  RHEL-8-CNV-4.10

Via RHSA-2022:5026 https://access.redhat.com/errata/RHSA-2022:5026

Comment 43 errata-xmlrpc 2022-08-10 10:08:26 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.11
  Ironic content for Red Hat OpenShift Container Platform 4.11

Via RHSA-2022:5068 https://access.redhat.com/errata/RHSA-2022:5068

Comment 44 errata-xmlrpc 2022-08-10 10:23:14 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.11

Via RHSA-2022:5070 https://access.redhat.com/errata/RHSA-2022:5070

Comment 45 errata-xmlrpc 2022-08-10 10:34:11 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.11

Via RHSA-2022:5069 https://access.redhat.com/errata/RHSA-2022:5069

Comment 46 errata-xmlrpc 2022-08-10 11:36:28 UTC
This issue has been addressed in the following products:

  Openshift Serverless 1 on RHEL 8

Via RHSA-2022:6042 https://access.redhat.com/errata/RHSA-2022:6042

Comment 47 errata-xmlrpc 2022-08-10 13:14:46 UTC
This issue has been addressed in the following products:

  Openshift Serveless 1.24

Via RHSA-2022:6040 https://access.redhat.com/errata/RHSA-2022:6040


Note You need to log in before you can comment on or make changes to this bug.