Login
Start Free Trial
Research Center
CVE-2022-21698 Research Center

CVE-2022-21698

client_golang is the instrumentation library for Go applications in Prometheus, and the promhttp package in client_golang provides tooling around HTTP servers and clients. In client_golang prior to version 1.11.1, HTTP server is susceptible to a Denial of Service through unbounded cardinality, and potential memory exhaustion, when handling requests with non-standard HTTP methods. In order to be affected, an instrumented software must use any of `promhttp.InstrumentHandler*` middleware except `RequestsInFlight`; not filter any specific methods (e.g GET) before middleware; pass metric with `method` label name to our middleware; and not have any firewall/LB/proxy that filters away requests with unknown `method`. client_golang version 1.11.1 contains a patch for this issue. Several workarounds are available, including removing the `method` label name from counter/gauge used in the InstrumentHandler; turning off affected promhttp handlers; adding custom middleware before promhttp handler that will sanitize the request method given by Go http.Request; and using a reverse proxy or web application firewall, configured to only allow a limited set of methods.

  • 7.5 high severity

  • CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

  • 15/02/2022

Products 4

Ex

Extra Packages for Enterprise Linux

by Fedoraproject

3 Versions

2 months ago

Fe

Fedora Extra Packages for Enterprise Linux

by Fedoraproject

2 Versions

5 months ago

Cl

Client Golang

by Prometheus

35 Versions

6 months ago

RD

RDO

by RDO Project

1 Version

6 months ago

Operating Systems 1

Fedora

by Fedoraproject

43 Versions

a month ago

Vulnerability Categories 2

Uncontrolled Resource Consumption ('Resource Exhaustion')
Missing Release of Resource after Effective Lifetime

xTags 4

#exposed_to_DOS_Attack
#easy_to_exploit
#known_vulnerability
#availability_impact_if_exploited

Patch Links 4

https://github.com/prometheus/client_golang/pull/962
Patch Now
https://github.com/prometheus/client_golang/pull/987
Patch Now
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HLAQRRGNSO5MYCPAXGPH2OCSHOGHSQMQ/
Patch Now
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2PFW6Q2LXXWTFRTMTRN4ZGADFRQPKJ3D/
Patch Now

Advisory Links 19

https://github.com/prometheus/client_golang/pull/962
https://github.com/prometheus/client_golang/releases/tag/v1.11.1
https://github.com/prometheus/client_golang/security/advisories/GHSA-cg3q-j54f-5p7p
https://github.com/prometheus/client_golang/pull/987
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FY3N7H6VSDZM37B4SKM2PFFCUWU7QYWN/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZKORFJTRRDJCWBTJPISKKCVMMMJBIRLG/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SASRKYHT5ZFSVMJUQUG3UAEQRJYGJKAR/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AK7CJBCGERCRXYUR2EWDSSDVAQMTAZGX/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KBMVIQFKQDSSTHVVJWJ4QH6TW3JVB7XZ/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/7V7I72LSQ3IET3QJR6QPAVGJZ4CBDLN5/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HLAQRRGNSO5MYCPAXGPH2OCSHOGHSQMQ/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2PFW6Q2LXXWTFRTMTRN4ZGADFRQPKJ3D/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/J5WPM42UR6XIBQNQPNQHM32X7S4LJTRX/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4KDETHL5XCT6RZN2BBNOCEXRZ2W3SFU3/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/36GUEPA5TPSC57DZTPYPBL6T7UPQ2FRH/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DLUJZV3HBP56ADXU6QH2V7RNYUPMVBXQ/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2IK53GWZ475OQ6ENABKMJMTOBZG6LXUR/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MH6ALXEQXIFQRQFNJ5Y2MJ5DFPIX76VN/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZY2SLWOQR4ZURQ7UBRZ7JIX6H6F5JHJR/
http://www.vicarius.io is owned and operated by Vicarius Ltd. (the “Company”). All information contained on the Website is purely for informational, and educational purposes and should be independently verified and confirmed. Vicarius does not accept any liability for any loss or damage whatsoever caused in reliance upon such information or services. No statements or information presented in any form by Vicarius is intended as fact, and you agree that you will not consider the statements or information presented on the Website as fact or as a guarantee of performance.

Related CVEs

Security Research Topics

By John Kilhefner
Aug 09, 2022

Analyzing the Quantum Threat

This isn’t just another “next step” of computing… The application of emerging quantum computing tech in the cybersecurity industry will result in arguably the most significant disruption the world has ever seen. Just how can a new evolution of computing do all this? Through the strange world of quantum mechanics.
By Michael Assraf
Aug 08, 2022

An Origin Story: vsociety

Welcome to vsociety – the open, independent, and user-centered community with features built specifically to make vulnerability research shareable and actionable at scale. We don't make many self-posts, but wanted to share our origins with you...
By M /
Aug 08, 2022

Exploiting Google SLO Generator with Python YAML Deserialization Attack

In this blog post, we will be detailing a new vector to exploit a vulnerable version of Google SLO Generator, a widely used Python library publicly available on Github. In other words, we will be searching for an older version that we can exploit to highlight the importance of keeping software packages up to date.
By John Kilhefner
Aug 08, 2022

Blockchain Security -- The New Threat. Part 1.

A new threat is on the horizon. And this new paradigm promises to be the most profound shift for security professionals since the dot-com boom of the nineties. I’m talking about blockchains and decentralized economies in the 2020s. To get a sense for the scope of change in front of us, we need to take a trip down memory lane – to the advent of the internet.
By Kent Weigle
Aug 05, 2022

CISAnalysis 05 August 2022

CVE-2022-27924, a vulnerability published in May 2022, has been added to CISA's Known Exploited Vulnerabilities Catalog.
last_chanse_02.png

Start Closing Security Gaps

  • Risk reduction from Day 1
  • Fast set-up and deployment
  • Unified platform
  • Full-featured 30-day trial
Get a Demo
Start Free Trial!