Security update for golang-github-prometheus-prometheus SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2022:1434-1 Final 1 1 2022-04-27T12:33:28Z current 2022-04-27T12:33:28Z 2022-04-27T12:33:28Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for golang-github-prometheus-prometheus This update for golang-github-prometheus-prometheus fixes the following issues: Security fixes for golang-github-prometheus-prometheus: - CVE-2022-21698: Denial of Service through unbounded cardinality, and potential memory exhaustion, when handling requests with non-standard HTTP methods (bsc#1196338). Other non security changes for golang-github-prometheus-prometheus: - Build `firewalld-prometheus-config` only for SUSE Linux Enterprise 15, 15-SP1 and 15-SP2, and require `firewalld`. - Only recommends `firewalld-prometheus-config` as prometheus does not require it to run. - Create `firewalld-prometheus-config` subpackage (bsc#1197042, jsc#SLE-24376) The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). SUSE-2022-1434,SUSE-SLE-Manager-Tools-15-2022-1434 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2022/suse-su-20221434-1/ Link for SUSE-SU-2022:1434-1 https://lists.suse.com/pipermail/sle-security-updates/2022-April/010851.html E-Mail link for SUSE-SU-2022:1434-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1196338 SUSE Bug 1196338 https://bugzilla.suse.com/1197042 SUSE Bug 1197042 https://www.suse.com/security/cve/CVE-2022-21698/ SUSE CVE CVE-2022-21698 page SUSE Manager Client Tools 15 firewalld-prometheus-config-0.1-150000.3.41.2 golang-github-prometheus-prometheus-2.32.1-150000.3.41.2 firewalld-prometheus-config-0.1-150000.3.41.2 as a component of SUSE Manager Client Tools 15 golang-github-prometheus-prometheus-2.32.1-150000.3.41.2 as a component of SUSE Manager Client Tools 15 client_golang is the instrumentation library for Go applications in Prometheus, and the promhttp package in client_golang provides tooling around HTTP servers and clients. In client_golang prior to version 1.11.1, HTTP server is susceptible to a Denial of Service through unbounded cardinality, and potential memory exhaustion, when handling requests with non-standard HTTP methods. In order to be affected, an instrumented software must use any of `promhttp.InstrumentHandler*` middleware except `RequestsInFlight`; not filter any specific methods (e.g GET) before middleware; pass metric with `method` label name to our middleware; and not have any firewall/LB/proxy that filters away requests with unknown `method`. client_golang version 1.11.1 contains a patch for this issue. Several workarounds are available, including removing the `method` label name from counter/gauge used in the InstrumentHandler; turning off affected promhttp handlers; adding custom middleware before promhttp handler that will sanitize the request method given by Go http.Request; and using a reverse proxy or web application firewall, configured to only allow a limited set of methods. CVE-2022-21698 SUSE Manager Client Tools 15:firewalld-prometheus-config-0.1-150000.3.41.2 SUSE Manager Client Tools 15:golang-github-prometheus-prometheus-2.32.1-150000.3.41.2 important 5 AV:N/AC:L/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2022/suse-su-20221434-1/ https://www.suse.com/security/cve/CVE-2022-21698.html CVE-2022-21698 https://bugzilla.suse.com/1196338 SUSE Bug 1196338 https://bugzilla.suse.com/1248689 SUSE Bug 1248689