Closed hilariocoelho closed 2 years ago
Thank you for your contribution. unfortunately, one or more of your commits are missing the required "Signed-off-by:" statement. Signing off is part of the Developer Certificate of Origin (DCO) which is used by this project.
Read the DCO and project contributing guide carefully, and amend your commits using the git CLI. Note that this does not require any cryptography, keys or special steps to be taken.
This will only take a few moments.
First, clone your fork and checkout this branch using the git CLI.
Next, set up your real name and email address:
git config --global user.name "Your Full Name"
git config --global user.email "you@domain.com"
Finally, run one of these commands to add the "Signed-off-by" line to your commits.
If you only have one commit so far then run: git commit --amend --signoff
and then git push --force
.
If you have multiple commits, watch this video.
Check that the message has been added properly by running "git log".
Hi @SpaWn2KiLl thanks for letting us know about the CVE in Prometheus.
For any concerned users, we must ask: "What is the likelihood of this being a risk for your environment?"
In client_golang prior to version 1.11.1, HTTP server is susceptible to a Denial of Service through unbounded cardinality, and potential memory exhaustion, when handling requests with non-standard HTTP methods.
It sounds like this only affects users who directly expose the expose the Prometheus HTTP server on the Internet? By default we run the Prometheus server on a separate private port, which is only available in-cluster. The risk should be extremely low for most users. If you see it differently, let me know.
There are other usages of the Prometheus HTTP handler such as the gateway, which would also benefit from a patch: https://github.com/openfaas/faas/tree/master/gateway
Along with the classic watchdog, which is very similar code for metrics: https://github.com/openfaas/classic-watchdog
The testing done here doesn't appear to be functional testing (which we would usually require for a merge), however the minor patch version increment should not include any breaking changes, so I am open to merging it without further testing.
Alex
For any concerned users, we must ask: "What is the likelihood of this being a risk for your environment?" It sounds like this only affects users who directly expose the expose the Prometheus HTTP server on the Internet? By default we run the Prometheus server on a separate private port, which is only available in-cluster. The risk should be extremely low for most users. If you see it differently, let me know.
This is a good question. The risk assessment you provided has multiple assumptions:
If these assumptions do not hold true, then the risk may not be "extremely low" -- combine this with the easy fix of just upgrading the dependency to the latest patch version, it seems like an easy decision to merge here and in other affected components.
Thanks for your comment @Jack64.
combine this with the easy fix of just upgrading the dependency to the latest patch version, it seems like an easy decision to merge here and in other affected components
I don't disagree, that's what my intention was when I responded above.
Out of curiosity, are you also an openfaas user or a colleague of Hilario?
Current prometheus client golang lib being used by of-watchod contains a vulnerability that has been fixed on v1.11.1 here
Description
As you can see, the generated docker container of of-watchdog contains the vulnerability and is reported using grype:
After updating the affected library and running
make dist
andmake build
, this is the generated report from grype:Motivation and Context
Fix a security vulnerability.
How Has This Been Tested?
Using grype
Types of changes
Checklist:
git commit -s