Closed tighemf closed 2 years ago
The statsd exporter does not accept regexps as user input, so this vulnerability does not apply.
Please do not report raw vulnerability scanner results. They are prone to false positives and cause the Prometheus team toil in verifying. Please verify vulnerability reports and include specific details as to which components are directly exploitable. Please also include a reproduction case.
Actually in this case, thank you for investigating the images 😄
I had on my radar that we need to migrate because of the ancient Ubuntu base (CircleCI even sent emails) but I missed that we are also behind on Go versions because of it, which makes a difference for the actual binary produced. I will change the title of the issue to emphasize what is to be done here.
I wonder whether we should switch to cimg/go or to the Prometheus Go builder image?
@matthiasr The CircleCI Go images are only used for CI. The actual final built binaries are produced with golang-builder
.
Being curious: Is there any timeline for when this issue will be fixed?
The day job has been really busy for me lately, so I can't promise when I will be able to look into it myself. However I do believe that CircleCI would use the updated setting in a PR build, so if you want it sooner, please send a pull request!
Thanks @matthiasr!
The Promethesus GH "prom/statsd-exporter" is affected by a recently disclosed security issue.
The issue I found is in a docker file that prom/statsd-exporter uses: "circleci/golang:1.17 (https://hub.docker.com/r/circleci/golang)
According to the CircleCI web page (https://circleci.com/docs/2.0/circleci-images/), that specific image has been deprecated as of Dec 2021. This means the prom/statsd-exporter is currently built on deprecated code.
In addition, that specific CircleCI image uses a version of golang that is too old. If you look inside the docker image for 1.17, you find that the version of golang is 1.17.5. The CVE says to use 1.17.8 or later.
The new "replacement" set of docker images from CircleCI includes one called "cimg/go" - which has golang:1.18 - which presumably doesn't have any regressions.
Companies that use prom/statsd-exporter (like mine) would be happy to see this vulnerability remediated.
Thanks for your attention to this issue.