prometheus / node_exporter

Exporter for machine metrics
https://prometheus.io/
Apache License 2.0
11.17k stars 2.36k forks source link

CVE's with version 1.7.0 #2920

Closed krishnaindani closed 8 months ago

krishnaindani commented 8 months ago

Host operating system: output of uname -a

Linux gke x86_64 GNU/Linux

node_exporter version: output of node_exporter --version

1.7.0

node_exporter command line flags

Are you running node_exporter in Docker?

Running as container on Kubernetes GKE

What did you do that produced an error?

Found following CVE's on the above version using twistlock.

id | status | cvss | description | severity | packageName | packageVersion | link -- | -- | -- | -- | -- | -- | -- | -- CVE-2023-45285 | fixed in 1.21.5, 1.20.12 | 7.5 | Using go get to fetch a module with the \".git\" suffix may unexpectedly fallback to the insecure \"git://\" protocol if the module is unavailable via the secure \"https://\" and \"git+ssh://\" protocols, even if GOINSECURE is not set for said module. This only affects users who are not using the module proxy and are fetching modules directly (i.e. GOPROXY=off). | high | go | 1.21.4 | https://nvd.nist.gov/vuln/detail/CVE-2023-45285 CVE-2023-48795 | fixed in 0.17.0 | 5.9 | The SSH transport protocol with certain OpenSSH extensions, found in OpenSSH before 9.6 and other products, allows remote attackers to bypass integrity checks such that some packets are omitted (from the extension negotiation message), and a client and server may consequently end up with a connection for which some security features have been downgraded or disabled, aka a Terrapin attack. This occurs because the SSH Binary Packet Protocol (BPP), implemented by these extensions, mishandles the handshake phase and mishandles use of sequence numbers. For example, there is an effective attack against SSH\'s use of ChaCha20-Poly1305 (and CBC with Encrypt-then-MAC). The bypass occurs in chacha20-poly1305@openssh.com and (if CBC is used) the -etm@openssh.com MAC algorithms. This also affects Maverick Synergy Java SSH API before 3.1.0-SNAPSHOT, Dropbear through 2022.83, Ssh before 5.1.1 in Erlang/OTP, PuTTY before 0.80, AsyncSSH before 2.14.2, golang.org/x/crypto before 0.17.0, libssh before 0.10.6, libssh2 through 1.11.0, Thorn Tech SFTP Gateway before 3.4.6, Tera Term before 5.1, Paramiko before 3.4.0, jsch before 0.2.15, SFTPGo before 2.5.6, Netgate pfSense Plus through 23.09.1, Netgate pfSense CE through 2.7.2, HPN-SSH through 18.2.0, ProFTPD before 1.3.8b (and before 1.3.9rc2), ORYX CycloneSSH before 2.3.4, NetSarang XShell 7 before Build 0144, CrushFTP before 10.6.0, ConnectBot SS | moderate | golang.org/x/crypto | v0.14.0 | https://nvd.nist.gov/vuln/detail/CVE-2023-48795 CVE-2023-42366 |   | 5.5 | A heap-buffer-overflow was discovered in BusyBox v.1.36.1 in the next_token function at awk.c:1159. | medium | busybox | 1.36.1 | https://nvd.nist.gov/vuln/detail/CVE-2023-42366 CVE-2023-42365 |   | 5.5 | A use-after-free vulnerability was discovered in BusyBox v.1.36.1 via a crafted awk pattern in the awk.c copyvar function. | medium | busybox | 1.36.1 | https://nvd.nist.gov/vuln/detail/CVE-2023-42365 CVE-2023-42364 |   | 5.5 | A use-after-free vulnerability in BusyBox v.1.36.1 allows attackers to cause a denial of service via a crafted awk pattern in the awk.c evaluate function. | medium | busybox | 1.36.1 | https://nvd.nist.gov/vuln/detail/CVE-2023-42364 CVE-2023-42363 |   | 5.5 | A use-after-free vulnerability was discovered in xasprintf function in xfuncs_printf.c:344 in BusyBox v.1.36.1. | medium | busybox | 1.36.1 | https://nvd.nist.gov/vuln/detail/CVE-2023-42363 CVE-2023-39326 | fixed in 1.21.5, 1.20.12 | 5.3 | A malicious HTTP sender can use chunk extensions to cause a receiver reading from a request or response body to read many more bytes from the network than are in the body. A malicious HTTP client can further exploit this to cause a server to automatically read a large amount of data (up to about 1GiB) when a handler fails to read the entire body of a request. Chunk extensions are a little-used HTTP feature which permit including additional metadata in a request or response body sent using the chunked encoding. The net/http chunked encoding reader discards this metadata. A sender can exploit this by inserting a large metadata segment with each byte transferred. The chunk reader now produces an error if the ratio of real body to encoded bytes grows too small. | medium | go | 1.21.4 | https://nvd.nist.gov/vuln/detail/CVE-2023-39326 ### What did you expect to see? For this for get resolved with the updates. Atleast for high severity in near term. ### What did you see instead? Seeing the vulnerability associated to CVE to get fixed.
SuperQ commented 8 months ago

Please do not report raw vulnerability scanner results. They are prone to false positives and cause the Prometheus team toil in verifying. Please verify vulnerability reports and include specific details as to which components are directly exploitable.

richgerrard commented 8 months ago

You're using old packages, and you have not released in months. Perhaps some toil is exactly what the doctor ordered. "Completed" is an inappropriate status.

richgerrard commented 8 months ago

/reopen