CVE-2017-15133: A denial of service flaw was found in miekg-dns before 1.0.4

[knweiss]

What did you do?

FYI: I've just tested the Go dependency vulnerability scanner nancy on the alertmanager master branch and it found one issue.

I did not look too close into this issue myself and don't know if it really is important. I just wanted to let you know.

What did you expect to see?

No known vulnerabilities.

What did you see instead? Under which circumstances?

$ ./nancy ~/src/github.com/prometheus/alertmanager/go.sum                                                                                                                                                         
2019/02/04 13:52:50 Replaying from value pointer: {Fid:0 Len:42 Offset:31640}
2019/02/04 13:52:50 Iterating file id: 0
2019/02/04 13:52:50 Iteration took: 18.957µs
[...]
[1/87] github/datadog/datadog-go@0.0.0-20180822151419-281ae9f2d895    No known vulnerabilities against package/version...
[2/87] github/oneofone/xxhash@1.2.2    No known vulnerabilities against package/version...
[3/87] github/puerkitobio/purell@0.0.0-20170917143911-fd18e053af8a    No known vulnerabilities against package/version...
[4/87] github/puerkitobio/urlesc@0.0.0-20170810143723-de5bf2ad4578    No known vulnerabilities against package/version...
[5/87] github/alecthomas/template@0.0.0-20160405071501-a0175ee3bccc    No known vulnerabilities against package/version...
[6/87] github/alecthomas/units@0.0.0-20151022065526-2efee857e7cf    No known vulnerabilities against package/version...
[7/87] github/armon/go-metrics@0.0.0-20171002182731-9a4b6e10bed6    No known vulnerabilities against package/version...
[8/87] github/asaskevich/govalidator@0.0.0-20180319081651-7d2e70ef918f    No known vulnerabilities against package/version...
[9/87] github/beorn7/perks@0.0.0-20180321164747-3a771d992973    No known vulnerabilities against package/version...
[10/87] github/cenkalti/backoff@0.0.0-20181003080854-62661b46c409    No known vulnerabilities against package/version...
[11/87] github/cespare/xxhash@0.0.0-20181017004759-096ff4a8a059    No known vulnerabilities against package/version...
[12/87] github/circonus-labs/circonusllhist@0.1.0    No known vulnerabilities against package/version...
[13/87] github/davecgh/go-spew@0.0.0-20180830191138-d8f796af33cc    No known vulnerabilities against package/version...
[14/87] github/docker/go-units@0.3.3    No known vulnerabilities against package/version...
[15/87] github/go-kit/kit@0.0.0-20171021132459-e2b298466b32    No known vulnerabilities against package/version...
[16/87] github/go-logfmt/logfmt@0.3.0    No known vulnerabilities against package/version...
[17/87] github/go-openapi/analysis@0.0.0-20180710011727-3c8fe72ed5d3    No known vulnerabilities against package/version...
[18/87] github/go-openapi/errors@0.0.0-20180515155515-b2b2befaf267    No known vulnerabilities against package/version...
[19/87] github/go-openapi/jsonpointer@0.0.0-20180322222829-3a0015ad55fa    No known vulnerabilities against package/version...
[20/87] github/go-openapi/jsonreference@0.0.0-20180322222742-3fb327e6747d    No known vulnerabilities against package/version...
[21/87] github/go-openapi/loads@0.0.0-20171207192234-2a2b323bab96    No known vulnerabilities against package/version...
[22/87] github/go-openapi/runtime@0.0.0-20180628220156-9a3091f566c0    No known vulnerabilities against package/version...
[23/87] github/go-openapi/spec@0.0.0-20180710175419-bce47c9386f9    No known vulnerabilities against package/version...
[24/87] github/go-openapi/strfmt@0.0.0-20180703152050-913ee058e387    No known vulnerabilities against package/version...
[25/87] github/go-openapi/swag@0.0.0-20180703152219-2b0bd4f193d0    No known vulnerabilities against package/version...
[26/87] github/go-openapi/validate@0.0.0-20180703152151-9a6e517cddf1    No known vulnerabilities against package/version...
[27/87] github/go-stack/stack@1.6.0    No known vulnerabilities against package/version...
[28/87] github/gogo/protobuf@0.0.0-20171123125729-971cbfd2e72b    No known vulnerabilities against package/version...
[29/87] github/golang/protobuf@1.2.0    No known vulnerabilities against package/version...
[30/87] github/google/uuid@1.0.0    No known vulnerabilities against package/version...
[31/87] github/hashicorp/consul@1.4.0    No known vulnerabilities against package/version...
[32/87] github/hashicorp/errwrap@1.0.0    No known vulnerabilities against package/version...
[33/87] github/hashicorp/go-cleanhttp@0.5.0    No known vulnerabilities against package/version...
[34/87] github/hashicorp/go-immutable-radix@0.0.0-20170725221215-8aac27015308    No known vulnerabilities against package/version...
[35/87] github/hashicorp/go-msgpack@0.0.0-20150518234257-fa3f63826f7c    No known vulnerabilities against package/version...
[36/87] github/hashicorp/go-multierror@0.0.0-20170622060955-83588e72410a    No known vulnerabilities against package/version...
[37/87] github/hashicorp/go-retryablehttp@0.5.0    No known vulnerabilities against package/version...
[38/87] github/hashicorp/go-sockaddr@0.0.0-20171030104312-9b4c5fa5b10a    No known vulnerabilities against package/version...
[39/87] github/hashicorp/go-uuid@1.0.0    No known vulnerabilities against package/version...
[40/87] github/hashicorp/golang-lru@0.0.0-20160813221303-0a025b7e63ad    No known vulnerabilities against package/version...
[41/87] github/hashicorp/memberlist@0.0.0-20170919173151-687988a0b5da    No known vulnerabilities against package/version...
[42/87] github/hashicorp/serf@0.8.1    No known vulnerabilities against package/version...
[43/87] github/hashicorp/uuid@0.0.0-20160311170451-ebb0a03e909c    No known vulnerabilities against package/version...
[44/87] github/hashicorp/yamux@0.0.0-20181012175058-2f1d1f20f75d    No known vulnerabilities against package/version...
[45/87] github/jessevdk/go-flags@0.0.0-20180331124232-1c38ed7ad0cc    No known vulnerabilities against package/version...
[46/87] github/julienschmidt/httprouter@0.0.0-20170430222011-975b5c4c7c21    No known vulnerabilities against package/version...
[47/87] github/kr/logfmt@0.0.0-20140226030751-b84e30acd515    No known vulnerabilities against package/version...
[48/87] github/kylelemons/godebug@0.0.0-20160406211939-eadb3ce320cb    No known vulnerabilities against package/version...
[49/87] github/mailru/easyjson@0.0.0-20171022173215-4d347d79dea0    No known vulnerabilities against package/version...
[50/87] github/matttproud/golang_protobuf_extensions@1.0.1    No known vulnerabilities against package/version...
------------------------------------------------------------
[51/87] github/miekg/dns@0.0.0-20171108100119-388f6eea2949  [Vulnerable]    1 known vulnerabilities affecting installed version

[CVE-2017-15133]  Uncontrolled Resource Consumption ("Resource Exhaustion")
A denial of service flaw was found in miekg-dns before 1.0.4. A remote attacker could use carefully timed TCP packets to block the DNS server from accepting new connections.

ID: 550f10f6-8f30-4b62-984b-b384d0fd5735
Details: https://ossindex.sonatype.org/vuln/550f10f6-8f30-4b62-984b-b384d0fd5735
[52/87] github/mitchellh/mapstructure@0.0.0-20180220230111-00c29f56e238    No known vulnerabilities against package/version...
[53/87] github/mwitkow/go-conntrack@0.0.0-20161129095857-cc309e4a2223    No known vulnerabilities against package/version...
[54/87] github/oklog/oklog@0.0.0-20170918173356-f857583a70c3    No known vulnerabilities against package/version...
[55/87] github/oklog/ulid@0.0.0-20170117200651-66bb6560562f    No known vulnerabilities against package/version...
[56/87] github/pascaldekloe/goe@0.0.0-20180627143212-57f6aae5913c    No known vulnerabilities against package/version...
[57/87] github/pborman/uuid@1.2.0    No known vulnerabilities against package/version...
[58/87] github/pkg/errors@0.0.0-20170316201538-ff09b135c25a    No known vulnerabilities against package/version...
[59/87] github/pmezard/go-difflib@1.0.0    No known vulnerabilities against package/version...
[60/87] github/prometheus/client_golang@0.9.2    No known vulnerabilities against package/version...
[61/87] github/prometheus/client_model@0.0.0-20180712105110-5c3871d89910    No known vulnerabilities against package/version...
[62/87] github/prometheus/common@0.0.0-20181126121408-4724e9255275    No known vulnerabilities against package/version...
[63/87] github/prometheus/procfs@0.0.0-20181204211112-1dc9a6cbc91a    No known vulnerabilities against package/version...
[64/87] github/prometheus/prometheus@0.0.0-20180315085919-58e2a31db8de    No known vulnerabilities against package/version...
[65/87] github/rs/cors@1.6.0    No known vulnerabilities against package/version...
[66/87] github/satori/go.uuid@0.0.0-20160603004225-b111a074d5ef    No known vulnerabilities against package/version...
[67/87] github/sean-/seed@0.0.0-20170313163322-e2103e2c3529    No known vulnerabilities against package/version...
[68/87] github/shurcool/httpfs@0.0.0-20171119174359-809beceb2371    No known vulnerabilities against package/version...
[69/87] github/shurcool/vfsgen@0.0.0-20180825020608-02ddb050ef6b    No known vulnerabilities against package/version...
[70/87] github/spaolacci/murmur3@0.0.0-20180118202830-f09979ecbc72    No known vulnerabilities against package/version...
[71/87] github/stretchr/testify@0.0.0-20160615092844-d77da356e56a    No known vulnerabilities against package/version...
[72/87] github/tv42/httpunix@0.0.0-20150427012821-b75d8614f926    No known vulnerabilities against package/version...
[73/87] github/xlab/treeprint@0.0.0-20180616005107-d6fb6747feb6    No known vulnerabilities against package/version...
[74/87] golang/x/net@0.0.0-20181201002055-351d144fa1fc    No known vulnerabilities against package/version...
[75/87] golang/x/sync@0.0.0-20181108010431-42b317875d0f    No known vulnerabilities against package/version...
[76/87] golang/x/text@0.3.0    No known vulnerabilities against package/version...
[77/87] golang/x/text@0.3.1-0.20180805044716-cb6730876b98    No known vulnerabilities against package/version...
[78/87] golang/x/tools@0.0.0-20190118193359-16909d206f00    No known vulnerabilities against package/version...
[79/87] google.golang/appengine@1.3.0    No known vulnerabilities against package/version...
[80/87] github/alecthomas/kingpin.v2@2.2.6    No known vulnerabilities against package/version...
[81/87] github/check.v1@0.0.0-20161208181325-20d25e280405    No known vulnerabilities against package/version...
[82/87] github/mgo.v2@2.0.0-20160818020120-3f83fa500528    No known vulnerabilities against package/version...
[83/87] github/vmihailenco/msgpack.v2@2.9.1    No known vulnerabilities against package/version...
[84/87] github/yaml.v2@2.2.1    No known vulnerabilities against package/version...
[85/87] labix.org/v2/mgo@0.0.0-20140701140051-000000000287    No known vulnerabilities against package/version...
[86/87] launchpad.net/gocheck@0.0.0-20140225173054-000000000087    No known vulnerabilities against package/version...
[87/87] github/circonus-labs/circonus-gometrics@2.2.4%20incompatible    No known vulnerabilities against package/version...

Audited dependencies: 87, Vulnerable: 1

• Alertmanager version:

$ git describe --tag
v0.16.0-alpha.0-36-g5c5ff9e

[mxinden]

Given that Alertmanager uses the given library as a client (memberlist), not a server, I don't think this attack applies to us.

I will look into updating this dependency anyways.

Thanks for reporting the issue. For future security vulnerabilities please do not report them publicly, but instead please reach out to the maintainer of the project directly. This gives us more time to mitigate the problem.

[simonpasquier]

Closed by #1738