Please cut a new release to address CVEs affecting the IsLoopback function used in node_exporter

PelagicGames commented 1 month ago

Host operating system: output of `uname -a`

n/a

node_exporter version: output of `node_exporter --version`

1.8.2

node_exporter command line flags

n/a

node_exporter log output

n/a

Are you running node_exporter in Docker?

Yes

What did you do that produced an error?

trivy scan highlights CVEs, with at least one impacting node_exporter:

CVE-2024-24790
- This affects IsLoopback, which is used in https://github.com/prometheus/node_exporter/blob/master/collector/ntp.go#L66C45-L66C67 and https://github.com/prometheus/node_exporter/blob/master/collector/netdev_common.go#L167C2-L167C77
CVE-2024-34155
CVE-2024-34156
CVE-2024-34158

What did you expect to see?

Clean scan

What did you see instead?

CVEs that have been resolved in master on HEAD, but not in latest release

discordianfish commented 1 month ago

They are not exploitable.

mykaul commented 2 weeks ago

Thanks @discordianfish for confirming. However, I find it sometimes easier to build a new release than explain that a vulnerability is not exploitable. This is what I've got the last time I've ran (snippet):

ykaul@ykaul:~$ trivy repository https://github.com/prometheus/node_exporter --branch release-1.8 --scanners vuln   --detection-priority comprehensive
2024-10-29T17:19:29+02:00   INFO    [vuln] Vulnerability scanning is enabled
Enumerating objects: 6544, done.
Counting objects: 100% (6544/6544), done.
Compressing objects: 100% (3536/3536), done.
Total 6544 (delta 3343), reused 5501 (delta 2547), pack-reused 0 (from 0)
2024-10-29T17:19:32+02:00   INFO    Number of language-specific files   num=1
2024-10-29T17:19:32+02:00   INFO    [gomod] Detecting vulnerabilities...
2024-10-29T17:19:32+02:00   WARN    Using severities from other vendors for some vulnerabilities. Read https://aquasecurity.github.io/trivy/v0.56/docs/scanner/vulnerability#severity-selection for details.

go.mod (gomod)

Total: 20 (UNKNOWN: 0, LOW: 0, MEDIUM: 13, HIGH: 6, CRITICAL: 1)

┌─────────┬────────────────┬──────────┬────────┬───────────────────┬──────────────────────────────────┬──────────────────────────────────────────────────────────────┐
│ Library │ Vulnerability  │ Severity │ Status │ Installed Version │          Fixed Version           │                            Title                             │
├─────────┼────────────────┼──────────┼────────┼───────────────────┼──────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ stdlib  │ CVE-2024-24790 │ CRITICAL │ fixed  │ 1.21.0            │ 1.21.11, 1.22.4                  │ golang: net/netip: Unexpected behavior from Is methods for   │
│         │                │          │        │                   │                                  │ IPv4-mapped IPv6 addresses                                   │
│         │                │          │        │                   │                                  │ https://avd.aquasec.com/nvd/cve-2024-24790                   │
│         ├────────────────┼──────────┤        │                   ├──────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│         │ CVE-2023-39321 │ HIGH     │        │                   │ 1.21.1                           │ golang: crypto/tls: panic when processing post-handshake     │
│         │                │          │        │                   │                                  │ message on QUIC connections                                  │
│         │                │          │        │                   │                                  │ https://avd.aquasec.com/nvd/cve-2023-39321                   │
│         ├────────────────┤          │        │                   │                                  ├──────────────────────────────────────────────────────────────┤
│         │ CVE-2023-39322 │          │        │                   │                                  │ golang: crypto/tls: lack of a limit on buffered              │
│         │                │          │        │                   │                                  │ post-handshake                                               │
│         │                │          │        │                   │                                  │ https://avd.aquasec.com/nvd/cve-2023-39322                   │
│         ├────────────────┤          │        │                   ├──────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│         │ CVE-2023-39325 │          │        │                   │ 1.20.10, 1.21.3                  │ golang: net/http, x/net/http2: rapid stream resets can cause │
│         │                │          │        │                   │                                  │ excessive work (CVE-2023-44487)                              │
│         │                │          │        │                   │                                  │ https://avd.aquasec.com/nvd/cve-2023-39325                   │
│         ├────────────────┤          │        │                   ├──────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│         │ CVE-2023-45283 │          │        │                   │ 1.20.11, 1.21.4, 1.20.12, 1.21.5 │ The filepath package does not recognize paths with a \??\    │
│         │                │          │        │                   │                                  │ prefix as...                                                 │
│         │                │          │        │                   │                                  │ https://avd.aquasec.com/nvd/cve-2023-45283                   │
│         ├────────────────┤          │        │                   ├──────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│         │ CVE-2023-45288 │          │        │                   │ 1.21.9, 1.22.2                   │ golang: net/http, x/net/http2: unlimited number of           │
│         │                │          │        │                   │                                  │ CONTINUATION frames causes DoS                               │
│         │                │          │        │                   │                                  │ https://avd.aquasec.com/nvd/cve-2023-45288                   │
│         ├────────────────┤          │        │                   ├──────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│         │ CVE-2024-34156 │          │        │                   │ 1.22.7, 1.23.1                   │ encoding/gob: golang: Calling Decoder.Decode on a message    │
│         │                │          │        │                   │                                  │ which contains deeply nested structures...                   │
│         │                │          │        │                   │                                  │ https://avd.aquasec.com/nvd/cve-2024-34156                   │

prometheus / node_exporter