search

prometheus / statsd_exporter

StatsD to Prometheus metrics exporter
Apache License 2.0
915 stars 230 forks source link

migrate away from circleci/golang for builds #424

Closed tighemf closed 2 years ago

tighemf commented 2 years ago

The Promethesus GH "prom/statsd-exporter" is affected by a recently disclosed security issue.

CVEID: CVE-2022-24921
Description: Golang Go is vulnerable to a denial of service, caused by improper input validation. By using a specially-crafted deeply nested expression, a remote attacker could exploit this vulnerability to cause a goroutine stack exhaustion, and results in a denial of service condition.

The issue I found is in a docker file that prom/statsd-exporter uses: "circleci/golang:1.17 (https://hub.docker.com/r/circleci/golang)

According to the CircleCI web page (https://circleci.com/docs/2.0/circleci-images/), that specific image has been deprecated as of Dec 2021. This means the prom/statsd-exporter is currently built on deprecated code.

In addition, that specific CircleCI image uses a version of golang that is too old. If you look inside the docker image for 1.17, you find that the version of golang is 1.17.5. The CVE says to use 1.17.8 or later.

The new "replacement" set of docker images from CircleCI includes one called "cimg/go" - which has golang:1.18 - which presumably doesn't have any regressions.

Companies that use prom/statsd-exporter (like mine) would be happy to see this vulnerability remediated.

Thanks for your attention to this issue.

SuperQ commented 2 years ago

The statsd exporter does not accept regexps as user input, so this vulnerability does not apply.

SuperQ commented 2 years ago

Please do not report raw vulnerability scanner results. They are prone to false positives and cause the Prometheus team toil in verifying. Please verify vulnerability reports and include specific details as to which components are directly exploitable. Please also include a reproduction case.

matthiasr commented 2 years ago

Actually in this case, thank you for investigating the images 😄

I had on my radar that we need to migrate because of the ancient Ubuntu base (CircleCI even sent emails) but I missed that we are also behind on Go versions because of it, which makes a difference for the actual binary produced. I will change the title of the issue to emphasize what is to be done here.

matthiasr commented 2 years ago

I wonder whether we should switch to cimg/go or to the Prometheus Go builder image?

SuperQ commented 2 years ago

@matthiasr The CircleCI Go images are only used for CI. The actual final built binaries are produced with golang-builder.

tighemf commented 2 years ago

Being curious: Is there any timeline for when this issue will be fixed?

matthiasr commented 2 years ago

The day job has been really busy for me lately, so I can't promise when I will be able to look into it myself. However I do believe that CircleCI would use the updated setting in a PR build, so if you want it sooner, please send a pull request!

tighemf commented 2 years ago

Thanks @matthiasr!