suse-su-2022:2137-1
Vulnerability from csaf_suse
Published
2022-06-20 12:47
Modified
2022-06-20 12:47
Summary
Security update for golang-github-prometheus-node_exporter
Notes
Title of the patch
Security update for golang-github-prometheus-node_exporter
Description of the patch
This update for golang-github-prometheus-node_exporter fixes the following issues:
- CVE-2022-21698: Update vendor tarball with prometheus/client_golang 1.11.1 (bsc#1196338, jsc#SLE-24238, jsc#SLE-24239)
- Update to 1.3.0
* [CHANGE] Add path label to rapl collector #2146
* [CHANGE] Exclude filesystems under /run/credentials #2157
* [CHANGE] Add TCPTimeouts to netstat default filter #2189
* [FEATURE] Add lnstat collector for metrics from /proc/net/stat/ #1771
* [FEATURE] Add darwin powersupply collector #1777
* [FEATURE] Add support for monitoring GPUs on Linux #1998
* [FEATURE] Add Darwin thermal collector #2032
* [FEATURE] Add os release collector #2094
* [FEATURE] Add netdev.address-info collector #2105
* [FEATURE] Add clocksource metrics to time collector #2197
* [ENHANCEMENT] Support glob textfile collector directories #1985
* [ENHANCEMENT] ethtool: Expose node_ethtool_info metric #2080
* [ENHANCEMENT] Use include/exclude flags for ethtool filtering #2165
* [ENHANCEMENT] Add flag to disable guest CPU metrics #2123
* [ENHANCEMENT] Add DMI collector #2131
* [ENHANCEMENT] Add threads metrics to processes collector #2164
* [ENHANCMMENT] Reduce timer GC delays in the Linux filesystem collector #2169
* [ENHANCMMENT] Add TCPTimeouts to netstat default filter #2189
* [ENHANCMMENT] Use SysctlTimeval for boottime collector on BSD #2208
* [BUGFIX] ethtool: Sanitize metric names #2093
* [BUGFIX] Fix ethtool collector for multiple interfaces #2126
* [BUGFIX] Fix possible panic on macOS #2133
* [BUGFIX] Collect flag_info and bug_info only for one core #2156
* [BUGFIX] Prevent duplicate ethtool metric names #2187
- Update to 1.2.2
* Bug fixes
Fix processes collector long int parsing #2112
- Update to 1.2.1
* Removed
Remove obsolete capture permission denied error patch that was already included upstream.
* Bug fixes
Fix zoneinfo parsing prometheus/procfs#386
Fix nvme collector log noise #2091
Fix rapl collector log noise #2092
- Update to 1.2.0
* Changes
Rename filesystem collector flags to match other collectors #2012
Make node_exporter print usage to STDOUT #203
* Features
Add conntrack statistics metrics #1155
Add ethtool stats collector #1832
Add flag to ignore network speed if it is unknown #1989
Add tapestats collector for Linux #2044
Add nvme collector #2062
* Enhancements
Add ErrorLog plumbing to promhttp #1887
Add more Infiniband counters #2019
netclass: retrieve interface names and filter before parsing #2033
Add time zone offset metric #2060
* Bug fixes
Handle errors from disabled PSI subsystem #1983
Fix panic when using backwards compatible flags #2000
Fix wrong value for OpenBSD memory buffer cache #2015
Only initiate collectors once #2048
Handle small backwards jumps in CPU idle #2067
- Capture permission denied error for 'energy_uj' file (bsc#1190535)
- Update to 1.1.2
* Bug fixes
+ Handle errors from disabled PSI subsystem #1983
+ Sanitize strings from /sys/class/power_supply #1984
+ Silence missing netclass errors #1986
- Trim old specfile constructs
- Migrate to obs_scm
- Migrate to go_modules
- Update to 1.1.1
* Bug fixes
+ Fix ineffassign issue #1957
+ Fix some noisy log lines #1962
- Update to 1.1.0
* Changes
+ Improve filter flag names #1743
+ Add btrfs and powersupplyclass to list of exporters enabled by default #1897
* Features
+ Add fibre channel collector #1786
+ Expose cpu bugs and flags as info metrics. #1788
+ Add network_route collector #1811
+ Add zoneinfo collector #1922
* Enhancements
+ Add more InfiniBand counters #1694
+ Add flag to aggr ipvs metrics to avoid high cardinality metrics #1709
+ Adding backlog/current queue length to qdisc collector #1732
+ Include TCP OutRsts in netstat metrics #1733
+ Add pool size to entropy collector #1753
+ Remove CGO dependencies for OpenBSD amd64 #1774
+ bcache: add writeback_rate_debug stats #1658
+ Add check state for mdadm arrays via node_md_state metric #1810
+ Expose XFS inode statistics #1870
+ Expose zfs zpool state #1878
+ Added an ability to pass collector.supervisord.url via SUPERVISORD_URL environment variable #1947
* Bug fixes
+ filesystem_freebsd: Fix label values #1728
+ Fix various procfs parsing errors #1735
+ Handle no data from powersupplyclass #1747
+ udp_queues_linux.go: change upd to udp in two error strings #1769
+ Fix node_scrape_collector_success behaviour #1816
+ Fix NodeRAIDDegraded to not use a string rule expressions #1827
+ Fix node_md_disks state label from fail to failed #1862
+ Handle EPERM for syscall in timex collector #1938
+ bcache: fix typo in a metric name #1943
+ Fix XFS read/write stats (https://github.com/prometheus/procfs/pull/343)
- Do not include sources (bsc#1151558)
- Remove rc symlink
Patchnames
SUSE-2022-2137,SUSE-SLE-Product-HPC-15-2022-2137,SUSE-SLE-Product-SLES-15-2022-2137,SUSE-SLE-Product-SLES_SAP-15-2022-2137
Terms of use
CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Security update for golang-github-prometheus-node_exporter",
"title": "Title of the patch"
},
{
"category": "description",
"text": "This update for golang-github-prometheus-node_exporter fixes the following issues:\n\n- CVE-2022-21698: Update vendor tarball with prometheus/client_golang 1.11.1 (bsc#1196338, jsc#SLE-24238, jsc#SLE-24239)\n\n- Update to 1.3.0\n * [CHANGE] Add path label to rapl collector #2146\n * [CHANGE] Exclude filesystems under /run/credentials #2157\n * [CHANGE] Add TCPTimeouts to netstat default filter #2189\n * [FEATURE] Add lnstat collector for metrics from /proc/net/stat/ #1771\n * [FEATURE] Add darwin powersupply collector #1777\n * [FEATURE] Add support for monitoring GPUs on Linux #1998\n * [FEATURE] Add Darwin thermal collector #2032\n * [FEATURE] Add os release collector #2094\n * [FEATURE] Add netdev.address-info collector #2105\n * [FEATURE] Add clocksource metrics to time collector #2197\n * [ENHANCEMENT] Support glob textfile collector directories #1985\n * [ENHANCEMENT] ethtool: Expose node_ethtool_info metric #2080\n * [ENHANCEMENT] Use include/exclude flags for ethtool filtering #2165\n * [ENHANCEMENT] Add flag to disable guest CPU metrics #2123\n * [ENHANCEMENT] Add DMI collector #2131\n * [ENHANCEMENT] Add threads metrics to processes collector #2164\n * [ENHANCMMENT] Reduce timer GC delays in the Linux filesystem collector #2169\n * [ENHANCMMENT] Add TCPTimeouts to netstat default filter #2189\n * [ENHANCMMENT] Use SysctlTimeval for boottime collector on BSD #2208\n * [BUGFIX] ethtool: Sanitize metric names #2093\n * [BUGFIX] Fix ethtool collector for multiple interfaces #2126\n * [BUGFIX] Fix possible panic on macOS #2133\n * [BUGFIX] Collect flag_info and bug_info only for one core #2156\n * [BUGFIX] Prevent duplicate ethtool metric names #2187\n\n- Update to 1.2.2\n * Bug fixes\n Fix processes collector long int parsing #2112\n\n- Update to 1.2.1\n * Removed\n Remove obsolete capture permission denied error patch that was already included upstream.\n * Bug fixes\n Fix zoneinfo parsing prometheus/procfs#386\n Fix nvme collector log noise #2091\n Fix rapl collector log noise #2092\n\n- Update to 1.2.0\n * Changes\n Rename filesystem collector flags to match other collectors #2012\n Make node_exporter print usage to STDOUT #203\n * Features\n Add conntrack statistics metrics #1155\n Add ethtool stats collector #1832\n Add flag to ignore network speed if it is unknown #1989\n Add tapestats collector for Linux #2044\n Add nvme collector #2062\n * Enhancements\n Add ErrorLog plumbing to promhttp #1887\n Add more Infiniband counters #2019\n netclass: retrieve interface names and filter before parsing #2033\n Add time zone offset metric #2060\n * Bug fixes\n Handle errors from disabled PSI subsystem #1983\n Fix panic when using backwards compatible flags #2000\n Fix wrong value for OpenBSD memory buffer cache #2015\n Only initiate collectors once #2048\n Handle small backwards jumps in CPU idle #2067\n\n- Capture permission denied error for \u0027energy_uj\u0027 file (bsc#1190535)\n\n- Update to 1.1.2\n * Bug fixes\n + Handle errors from disabled PSI subsystem #1983\n + Sanitize strings from /sys/class/power_supply #1984\n + Silence missing netclass errors #1986\n\n- Trim old specfile constructs\n\n- Migrate to obs_scm\n- Migrate to go_modules\n- Update to 1.1.1\n * Bug fixes\n + Fix ineffassign issue #1957\n + Fix some noisy log lines #1962\n- Update to 1.1.0\n * Changes\n + Improve filter flag names #1743\n + Add btrfs and powersupplyclass to list of exporters enabled by default #1897\n * Features\n + Add fibre channel collector #1786\n + Expose cpu bugs and flags as info metrics. #1788\n + Add network_route collector #1811\n + Add zoneinfo collector #1922\n * Enhancements\n + Add more InfiniBand counters #1694\n + Add flag to aggr ipvs metrics to avoid high cardinality metrics #1709 \n + Adding backlog/current queue length to qdisc collector #1732 \n + Include TCP OutRsts in netstat metrics #1733 \n + Add pool size to entropy collector #1753 \n + Remove CGO dependencies for OpenBSD amd64 #1774 \n + bcache: add writeback_rate_debug stats #1658 \n + Add check state for mdadm arrays via node_md_state metric #1810 \n + Expose XFS inode statistics #1870 \n + Expose zfs zpool state #1878 \n + Added an ability to pass collector.supervisord.url via SUPERVISORD_URL environment variable #1947\n * Bug fixes\n + filesystem_freebsd: Fix label values #1728\n + Fix various procfs parsing errors #1735\n + Handle no data from powersupplyclass #1747\n + udp_queues_linux.go: change upd to udp in two error strings #1769\n + Fix node_scrape_collector_success behaviour #1816\n + Fix NodeRAIDDegraded to not use a string rule expressions #1827\n + Fix node_md_disks state label from fail to failed #1862\n + Handle EPERM for syscall in timex collector #1938\n + bcache: fix typo in a metric name #1943\n + Fix XFS read/write stats (https://github.com/prometheus/procfs/pull/343)\n\n- Do not include sources (bsc#1151558)\n- Remove rc symlink\n",
"title": "Description of the patch"
},
{
"category": "details",
"text": "SUSE-2022-2137,SUSE-SLE-Product-HPC-15-2022-2137,SUSE-SLE-Product-SLES-15-2022-2137,SUSE-SLE-Product-SLES_SAP-15-2022-2137",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/suse-su-2022_2137-1.json"
},
{
"category": "self",
"summary": "URL for SUSE-SU-2022:2137-1",
"url": "https://www.suse.com/support/update/announcement/2022/suse-su-20222137-1/"
},
{
"category": "self",
"summary": "E-Mail link for SUSE-SU-2022:2137-1",
"url": "https://lists.suse.com/pipermail/sle-security-updates/2022-June/011313.html"
},
{
"category": "self",
"summary": "SUSE Bug 1151558",
"url": "https://bugzilla.suse.com/1151558"
},
{
"category": "self",
"summary": "SUSE Bug 1190535",
"url": "https://bugzilla.suse.com/1190535"
},
{
"category": "self",
"summary": "SUSE Bug 1196338",
"url": "https://bugzilla.suse.com/1196338"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2022-21698 page",
"url": "https://www.suse.com/security/cve/CVE-2022-21698/"
}
],
"title": "Security update for golang-github-prometheus-node_exporter",
"tracking": {
"current_release_date": "2022-06-20T12:47:07Z",
"generator": {
"date": "2022-06-20T12:47:07Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "SUSE-SU-2022:2137-1",
"initial_release_date": "2022-06-20T12:47:07Z",
"revision_history": [
{
"date": "2022-06-20T12:47:07Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "golang-github-prometheus-node_exporter-1.3.0-150000.3.12.1.aarch64",
"product": {
"name": "golang-github-prometheus-node_exporter-1.3.0-150000.3.12.1.aarch64",
"product_id": "golang-github-prometheus-node_exporter-1.3.0-150000.3.12.1.aarch64"
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "golang-github-prometheus-node_exporter-1.3.0-150000.3.12.1.i586",
"product": {
"name": "golang-github-prometheus-node_exporter-1.3.0-150000.3.12.1.i586",
"product_id": "golang-github-prometheus-node_exporter-1.3.0-150000.3.12.1.i586"
}
}
],
"category": "architecture",
"name": "i586"
},
{
"branches": [
{
"category": "product_version",
"name": "golang-github-prometheus-node_exporter-1.3.0-150000.3.12.1.ppc64le",
"product": {
"name": "golang-github-prometheus-node_exporter-1.3.0-150000.3.12.1.ppc64le",
"product_id": "golang-github-prometheus-node_exporter-1.3.0-150000.3.12.1.ppc64le"
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "golang-github-prometheus-node_exporter-1.3.0-150000.3.12.1.s390x",
"product": {
"name": "golang-github-prometheus-node_exporter-1.3.0-150000.3.12.1.s390x",
"product_id": "golang-github-prometheus-node_exporter-1.3.0-150000.3.12.1.s390x"
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "golang-github-prometheus-node_exporter-1.3.0-150000.3.12.1.x86_64",
"product": {
"name": "golang-github-prometheus-node_exporter-1.3.0-150000.3.12.1.x86_64",
"product_id": "golang-github-prometheus-node_exporter-1.3.0-150000.3.12.1.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "SUSE Linux Enterprise High Performance Computing 15-ESPOS",
"product": {
"name": "SUSE Linux Enterprise High Performance Computing 15-ESPOS",
"product_id": "SUSE Linux Enterprise High Performance Computing 15-ESPOS",
"product_identification_helper": {
"cpe": "cpe:/o:suse:sle_hpc-espos:15"
}
}
},
{
"category": "product_name",
"name": "SUSE Linux Enterprise High Performance Computing 15-LTSS",
"product": {
"name": "SUSE Linux Enterprise High Performance Computing 15-LTSS",
"product_id": "SUSE Linux Enterprise High Performance Computing 15-LTSS",
"product_identification_helper": {
"cpe": "cpe:/o:suse:sle_hpc-ltss:15"
}
}
},
{
"category": "product_name",
"name": "SUSE Linux Enterprise Server 15-LTSS",
"product": {
"name": "SUSE Linux Enterprise Server 15-LTSS",
"product_id": "SUSE Linux Enterprise Server 15-LTSS",
"product_identification_helper": {
"cpe": "cpe:/o:suse:sles-ltss:15"
}
}
},
{
"category": "product_name",
"name": "SUSE Linux Enterprise Server for SAP Applications 15",
"product": {
"name": "SUSE Linux Enterprise Server for SAP Applications 15",
"product_id": "SUSE Linux Enterprise Server for SAP Applications 15",
"product_identification_helper": {
"cpe": "cpe:/o:suse:sles_sap:15"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "golang-github-prometheus-node_exporter-1.3.0-150000.3.12.1.aarch64 as component of SUSE Linux Enterprise High Performance Computing 15-ESPOS",
"product_id": "SUSE Linux Enterprise High Performance Computing 15-ESPOS:golang-github-prometheus-node_exporter-1.3.0-150000.3.12.1.aarch64"
},
"product_reference": "golang-github-prometheus-node_exporter-1.3.0-150000.3.12.1.aarch64",
"relates_to_product_reference": "SUSE Linux Enterprise High Performance Computing 15-ESPOS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "golang-github-prometheus-node_exporter-1.3.0-150000.3.12.1.x86_64 as component of SUSE Linux Enterprise High Performance Computing 15-ESPOS",
"product_id": "SUSE Linux Enterprise High Performance Computing 15-ESPOS:golang-github-prometheus-node_exporter-1.3.0-150000.3.12.1.x86_64"
},
"product_reference": "golang-github-prometheus-node_exporter-1.3.0-150000.3.12.1.x86_64",
"relates_to_product_reference": "SUSE Linux Enterprise High Performance Computing 15-ESPOS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "golang-github-prometheus-node_exporter-1.3.0-150000.3.12.1.aarch64 as component of SUSE Linux Enterprise High Performance Computing 15-LTSS",
"product_id": "SUSE Linux Enterprise High Performance Computing 15-LTSS:golang-github-prometheus-node_exporter-1.3.0-150000.3.12.1.aarch64"
},
"product_reference": "golang-github-prometheus-node_exporter-1.3.0-150000.3.12.1.aarch64",
"relates_to_product_reference": "SUSE Linux Enterprise High Performance Computing 15-LTSS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "golang-github-prometheus-node_exporter-1.3.0-150000.3.12.1.x86_64 as component of SUSE Linux Enterprise High Performance Computing 15-LTSS",
"product_id": "SUSE Linux Enterprise High Performance Computing 15-LTSS:golang-github-prometheus-node_exporter-1.3.0-150000.3.12.1.x86_64"
},
"product_reference": "golang-github-prometheus-node_exporter-1.3.0-150000.3.12.1.x86_64",
"relates_to_product_reference": "SUSE Linux Enterprise High Performance Computing 15-LTSS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "golang-github-prometheus-node_exporter-1.3.0-150000.3.12.1.aarch64 as component of SUSE Linux Enterprise Server 15-LTSS",
"product_id": "SUSE Linux Enterprise Server 15-LTSS:golang-github-prometheus-node_exporter-1.3.0-150000.3.12.1.aarch64"
},
"product_reference": "golang-github-prometheus-node_exporter-1.3.0-150000.3.12.1.aarch64",
"relates_to_product_reference": "SUSE Linux Enterprise Server 15-LTSS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "golang-github-prometheus-node_exporter-1.3.0-150000.3.12.1.ppc64le as component of SUSE Linux Enterprise Server 15-LTSS",
"product_id": "SUSE Linux Enterprise Server 15-LTSS:golang-github-prometheus-node_exporter-1.3.0-150000.3.12.1.ppc64le"
},
"product_reference": "golang-github-prometheus-node_exporter-1.3.0-150000.3.12.1.ppc64le",
"relates_to_product_reference": "SUSE Linux Enterprise Server 15-LTSS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "golang-github-prometheus-node_exporter-1.3.0-150000.3.12.1.s390x as component of SUSE Linux Enterprise Server 15-LTSS",
"product_id": "SUSE Linux Enterprise Server 15-LTSS:golang-github-prometheus-node_exporter-1.3.0-150000.3.12.1.s390x"
},
"product_reference": "golang-github-prometheus-node_exporter-1.3.0-150000.3.12.1.s390x",
"relates_to_product_reference": "SUSE Linux Enterprise Server 15-LTSS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "golang-github-prometheus-node_exporter-1.3.0-150000.3.12.1.x86_64 as component of SUSE Linux Enterprise Server 15-LTSS",
"product_id": "SUSE Linux Enterprise Server 15-LTSS:golang-github-prometheus-node_exporter-1.3.0-150000.3.12.1.x86_64"
},
"product_reference": "golang-github-prometheus-node_exporter-1.3.0-150000.3.12.1.x86_64",
"relates_to_product_reference": "SUSE Linux Enterprise Server 15-LTSS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "golang-github-prometheus-node_exporter-1.3.0-150000.3.12.1.ppc64le as component of SUSE Linux Enterprise Server for SAP Applications 15",
"product_id": "SUSE Linux Enterprise Server for SAP Applications 15:golang-github-prometheus-node_exporter-1.3.0-150000.3.12.1.ppc64le"
},
"product_reference": "golang-github-prometheus-node_exporter-1.3.0-150000.3.12.1.ppc64le",
"relates_to_product_reference": "SUSE Linux Enterprise Server for SAP Applications 15"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "golang-github-prometheus-node_exporter-1.3.0-150000.3.12.1.x86_64 as component of SUSE Linux Enterprise Server for SAP Applications 15",
"product_id": "SUSE Linux Enterprise Server for SAP Applications 15:golang-github-prometheus-node_exporter-1.3.0-150000.3.12.1.x86_64"
},
"product_reference": "golang-github-prometheus-node_exporter-1.3.0-150000.3.12.1.x86_64",
"relates_to_product_reference": "SUSE Linux Enterprise Server for SAP Applications 15"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2022-21698",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2022-21698"
}
],
"notes": [
{
"category": "general",
"text": "client_golang is the instrumentation library for Go applications in Prometheus, and the promhttp package in client_golang provides tooling around HTTP servers and clients. In client_golang prior to version 1.11.1, HTTP server is susceptible to a Denial of Service through unbounded cardinality, and potential memory exhaustion, when handling requests with non-standard HTTP methods. In order to be affected, an instrumented software must use any of `promhttp.InstrumentHandler*` middleware except `RequestsInFlight`; not filter any specific methods (e.g GET) before middleware; pass metric with `method` label name to our middleware; and not have any firewall/LB/proxy that filters away requests with unknown `method`. client_golang version 1.11.1 contains a patch for this issue. Several workarounds are available, including removing the `method` label name from counter/gauge used in the InstrumentHandler; turning off affected promhttp handlers; adding custom middleware before promhttp handler that will sanitize the request method given by Go http.Request; and using a reverse proxy or web application firewall, configured to only allow a limited set of methods.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise High Performance Computing 15-ESPOS:golang-github-prometheus-node_exporter-1.3.0-150000.3.12.1.aarch64",
"SUSE Linux Enterprise High Performance Computing 15-ESPOS:golang-github-prometheus-node_exporter-1.3.0-150000.3.12.1.x86_64",
"SUSE Linux Enterprise High Performance Computing 15-LTSS:golang-github-prometheus-node_exporter-1.3.0-150000.3.12.1.aarch64",
"SUSE Linux Enterprise High Performance Computing 15-LTSS:golang-github-prometheus-node_exporter-1.3.0-150000.3.12.1.x86_64",
"SUSE Linux Enterprise Server 15-LTSS:golang-github-prometheus-node_exporter-1.3.0-150000.3.12.1.aarch64",
"SUSE Linux Enterprise Server 15-LTSS:golang-github-prometheus-node_exporter-1.3.0-150000.3.12.1.ppc64le",
"SUSE Linux Enterprise Server 15-LTSS:golang-github-prometheus-node_exporter-1.3.0-150000.3.12.1.s390x",
"SUSE Linux Enterprise Server 15-LTSS:golang-github-prometheus-node_exporter-1.3.0-150000.3.12.1.x86_64",
"SUSE Linux Enterprise Server for SAP Applications 15:golang-github-prometheus-node_exporter-1.3.0-150000.3.12.1.ppc64le",
"SUSE Linux Enterprise Server for SAP Applications 15:golang-github-prometheus-node_exporter-1.3.0-150000.3.12.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2022-21698",
"url": "https://www.suse.com/security/cve/CVE-2022-21698"
},
{
"category": "external",
"summary": "SUSE Bug 1196338 for CVE-2022-21698",
"url": "https://bugzilla.suse.com/1196338"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise High Performance Computing 15-ESPOS:golang-github-prometheus-node_exporter-1.3.0-150000.3.12.1.aarch64",
"SUSE Linux Enterprise High Performance Computing 15-ESPOS:golang-github-prometheus-node_exporter-1.3.0-150000.3.12.1.x86_64",
"SUSE Linux Enterprise High Performance Computing 15-LTSS:golang-github-prometheus-node_exporter-1.3.0-150000.3.12.1.aarch64",
"SUSE Linux Enterprise High Performance Computing 15-LTSS:golang-github-prometheus-node_exporter-1.3.0-150000.3.12.1.x86_64",
"SUSE Linux Enterprise Server 15-LTSS:golang-github-prometheus-node_exporter-1.3.0-150000.3.12.1.aarch64",
"SUSE Linux Enterprise Server 15-LTSS:golang-github-prometheus-node_exporter-1.3.0-150000.3.12.1.ppc64le",
"SUSE Linux Enterprise Server 15-LTSS:golang-github-prometheus-node_exporter-1.3.0-150000.3.12.1.s390x",
"SUSE Linux Enterprise Server 15-LTSS:golang-github-prometheus-node_exporter-1.3.0-150000.3.12.1.x86_64",
"SUSE Linux Enterprise Server for SAP Applications 15:golang-github-prometheus-node_exporter-1.3.0-150000.3.12.1.ppc64le",
"SUSE Linux Enterprise Server for SAP Applications 15:golang-github-prometheus-node_exporter-1.3.0-150000.3.12.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise High Performance Computing 15-ESPOS:golang-github-prometheus-node_exporter-1.3.0-150000.3.12.1.aarch64",
"SUSE Linux Enterprise High Performance Computing 15-ESPOS:golang-github-prometheus-node_exporter-1.3.0-150000.3.12.1.x86_64",
"SUSE Linux Enterprise High Performance Computing 15-LTSS:golang-github-prometheus-node_exporter-1.3.0-150000.3.12.1.aarch64",
"SUSE Linux Enterprise High Performance Computing 15-LTSS:golang-github-prometheus-node_exporter-1.3.0-150000.3.12.1.x86_64",
"SUSE Linux Enterprise Server 15-LTSS:golang-github-prometheus-node_exporter-1.3.0-150000.3.12.1.aarch64",
"SUSE Linux Enterprise Server 15-LTSS:golang-github-prometheus-node_exporter-1.3.0-150000.3.12.1.ppc64le",
"SUSE Linux Enterprise Server 15-LTSS:golang-github-prometheus-node_exporter-1.3.0-150000.3.12.1.s390x",
"SUSE Linux Enterprise Server 15-LTSS:golang-github-prometheus-node_exporter-1.3.0-150000.3.12.1.x86_64",
"SUSE Linux Enterprise Server for SAP Applications 15:golang-github-prometheus-node_exporter-1.3.0-150000.3.12.1.ppc64le",
"SUSE Linux Enterprise Server for SAP Applications 15:golang-github-prometheus-node_exporter-1.3.0-150000.3.12.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2022-06-20T12:47:07Z",
"details": "important"
}
],
"title": "CVE-2022-21698"
}
]
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.
Loading…
Loading…