CVE-2022-21698

client_golang is the instrumentation library for Go applications in Prometheus, and the promhttp package in client_golang provides tooling around HTTP servers and clients. In client_golang prior to version 1.11.1, HTTP server is susceptible to a Denial of Service through unbounded cardinality, and potential memory exhaustion, when handling requests with non-standard HTTP methods. In order to be affected, an instrumented software must use any of `promhttp.InstrumentHandler*` middleware except `RequestsInFlight`; not filter any specific methods (e.g GET) before middleware; pass metric with `method` label name to our middleware; and not have any firewall/LB/proxy that filters away requests with unknown `method`. client_golang version 1.11.1 contains a patch for this issue. Several workarounds are available, including removing the `method` label name from counter/gauge used in the InstrumentHandler; turning off affected promhttp handlers; adding custom middleware before promhttp handler that will sanitize the request method given by Go http.Request; and using a reverse proxy or web application firewall, configured to only allow a limited set of methods.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
7.5 HIGH
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: 59%
Affected Products (NVD)
VendorProductVersion
prometheusclient_golang
𝑥
< 1.11.1
fedoraprojectextra_packages_for_enterprise_linux
7.0
fedoraprojectextra_packages_for_enterprise_linux
8.0
rdo_projectrdo
-
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
golang-github-prometheus-client-golang
bookworm
1.14.0-3
fixed
bullseye
no-dsa
buster
postponed
sid
1.20.5-1
fixed
stretch
postponed
trixie
1.20.5-1
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
golang-github-prometheus-client-golang
bionic
needs-triage
focal
needs-triage
impish
ignored
jammy
needs-triage
kinetic
ignored
lunar
ignored
mantic
ignored
noble
needs-triage
trusty
ignored
xenial
ignored
openSUSE logo
openSUSE / SLES Releases
openSUSE Product
Release
firewall-applet
suse enterprise desktop 15 SP3
0.9.3-150300.3.6.1
fixed
suse enterprise sap 15 SP3
0.9.3-150300.3.6.1
fixed
suse enterprise server 15 SP3
0.9.3-150300.3.6.1
fixed
firewall-config
suse enterprise desktop 15 SP3
0.9.3-150300.3.6.1
fixed
suse enterprise sap 15 SP3
0.9.3-150300.3.6.1
fixed
suse enterprise server 15 SP3
0.9.3-150300.3.6.1
fixed
firewall-macros
suse enterprise desktop 15 SP3
0.9.3-150300.3.6.1
fixed
suse enterprise sap 15 SP3
0.9.3-150300.3.6.1
fixed
suse enterprise server 15 SP3
0.9.3-150300.3.6.1
fixed
firewalld
suse enterprise desktop 15 SP3
0.9.3-150300.3.6.1
fixed
suse enterprise sap 15 SP3
0.9.3-150300.3.6.1
fixed
suse enterprise server 15 SP3
0.9.3-150300.3.6.1
fixed
firewalld-lang
suse enterprise desktop 15 SP3
0.9.3-150300.3.6.1
fixed
suse enterprise sap 15 SP3
0.9.3-150300.3.6.1
fixed
suse enterprise server 15 SP3
0.9.3-150300.3.6.1
fixed
golang-github-prometheus-node_exporter
suse enterprise desktop 15 SP3
1.3.0-150100.3.18.1
fixed
suse enterprise sap 15 SP3
1.3.0-150100.3.18.1
fixed
suse enterprise server 15 SP3
1.3.0-150100.3.18.1
fixed
suse enterprise server 15 SP4
1.3.0-150100.3.18.1
fixed
podman
suse enterprise sap 15 SP3
3.4.7-150300.9.9.2
fixed
suse enterprise sap 15 SP4
3.4.7-150400.4.3.1
fixed
suse enterprise sap 15 SP5
4.4.4-150500.1.4
fixed
suse enterprise sap 15 SP6
4.8.3-150500.3.9.1
fixed
suse enterprise sap 15 SP7
4.9.5-150500.3.40.1
fixed
suse enterprise server 15 SP3
3.4.7-150300.9.9.2
fixed
suse enterprise server 15 SP4
3.4.7-150400.4.3.1
fixed
suse enterprise server 15 SP5
4.4.4-150500.1.4
fixed
suse enterprise server 15 SP6
4.8.3-150500.3.9.1
fixed
suse enterprise server 15 SP7
4.9.5-150500.3.40.1
fixed
podman-cni-config
suse enterprise sap 15 SP3
3.4.7-150300.9.9.2
fixed
suse enterprise sap 15 SP4
3.4.7-150400.4.3.1
fixed
suse enterprise sap 15 SP5
4.4.4-150500.1.4
fixed
suse enterprise server 15 SP3
3.4.7-150300.9.9.2
fixed
suse enterprise server 15 SP4
3.4.7-150400.4.3.1
fixed
suse enterprise server 15 SP5
4.4.4-150500.1.4
fixed
podman-docker
suse enterprise sap 15 SP4
3.4.7-150400.4.3.1
fixed
suse enterprise sap 15 SP5
4.4.4-150500.1.4
fixed
suse enterprise sap 15 SP6
4.8.3-150500.3.9.1
fixed
suse enterprise sap 15 SP7
4.9.5-150500.3.40.1
fixed
suse enterprise server 15 SP4
3.4.7-150400.4.3.1
fixed
suse enterprise server 15 SP5
4.4.4-150500.1.4
fixed
suse enterprise server 15 SP6
4.8.3-150500.3.9.1
fixed
suse enterprise server 15 SP7
4.9.5-150500.3.40.1
fixed
podman-remote
suse enterprise sap 15 SP4
3.4.7-150400.4.3.1
fixed
suse enterprise sap 15 SP5
4.4.4-150500.1.4
fixed
suse enterprise sap 15 SP6
4.8.3-150500.3.9.1
fixed
suse enterprise sap 15 SP7
4.9.5-150500.3.40.1
fixed
suse enterprise server 15 SP4
3.4.7-150400.4.3.1
fixed
suse enterprise server 15 SP5
4.4.4-150500.1.4
fixed
suse enterprise server 15 SP6
4.8.3-150500.3.9.1
fixed
suse enterprise server 15 SP7
4.9.5-150500.3.40.1
fixed
podmansh
suse enterprise sap 15 SP6
4.8.3-150500.3.9.1
fixed
suse enterprise sap 15 SP7
4.9.5-150500.3.40.1
fixed
suse enterprise server 15 SP6
4.8.3-150500.3.9.1
fixed
suse enterprise server 15 SP7
4.9.5-150500.3.40.1
fixed
python3-firewall
suse enterprise desktop 15 SP3
0.9.3-150300.3.6.1
fixed
suse enterprise sap 15 SP3
0.9.3-150300.3.6.1
fixed
suse enterprise server 15 SP3
0.9.3-150300.3.6.1
fixed
Red Hat logo
Red Hat Enterprise Linux Releases
Red Hat Product
Release
grafana
RHEL 9
0:7.5.15-3.el9
fixed
Common Weakness Enumeration
References
https://github.com/prometheus/client_golang/pull/962
https://github.com/prometheus/client_golang/pull/987
https://github.com/prometheus/client_golang/releases/tag/v1.11.1
https://github.com/prometheus/client_golang/security/advisories/GHSA-cg3q-j54f-5p7p
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2IK53GWZ475OQ6ENABKMJMTOBZG6LXUR/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2PFW6Q2LXXWTFRTMTRN4ZGADFRQPKJ3D/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/36GUEPA5TPSC57DZTPYPBL6T7UPQ2FRH/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3L6GDN5S5QZSCFKWD3GKL2RDZQ6B4UWA/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4KDETHL5XCT6RZN2BBNOCEXRZ2W3SFU3/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/5OGNAFVXSMTTT2UPH6CS3IH6L3KM42Q7/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7V7I72LSQ3IET3QJR6QPAVGJZ4CBDLN5/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/AK7CJBCGERCRXYUR2EWDSSDVAQMTAZGX/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DLUJZV3HBP56ADXU6QH2V7RNYUPMVBXQ/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FY3N7H6VSDZM37B4SKM2PFFCUWU7QYWN/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HLAQRRGNSO5MYCPAXGPH2OCSHOGHSQMQ/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/J5WPM42UR6XIBQNQPNQHM32X7S4LJTRX/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KBMVIQFKQDSSTHVVJWJ4QH6TW3JVB7XZ/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MH6ALXEQXIFQRQFNJ5Y2MJ5DFPIX76VN/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RN7JGC2LVHPEGSJYODFUV5FEKPBVG4D7/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SASRKYHT5ZFSVMJUQUG3UAEQRJYGJKAR/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZKORFJTRRDJCWBTJPISKKCVMMMJBIRLG/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZY2SLWOQR4ZURQ7UBRZ7JIX6H6F5JHJR/
https://github.com/prometheus/client_golang/pull/962
https://github.com/prometheus/client_golang/pull/987
https://github.com/prometheus/client_golang/releases/tag/v1.11.1
https://github.com/prometheus/client_golang/security/advisories/GHSA-cg3q-j54f-5p7p
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2IK53GWZ475OQ6ENABKMJMTOBZG6LXUR/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2PFW6Q2LXXWTFRTMTRN4ZGADFRQPKJ3D/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/36GUEPA5TPSC57DZTPYPBL6T7UPQ2FRH/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3L6GDN5S5QZSCFKWD3GKL2RDZQ6B4UWA/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4KDETHL5XCT6RZN2BBNOCEXRZ2W3SFU3/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/5OGNAFVXSMTTT2UPH6CS3IH6L3KM42Q7/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7V7I72LSQ3IET3QJR6QPAVGJZ4CBDLN5/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/AK7CJBCGERCRXYUR2EWDSSDVAQMTAZGX/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DLUJZV3HBP56ADXU6QH2V7RNYUPMVBXQ/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FY3N7H6VSDZM37B4SKM2PFFCUWU7QYWN/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HLAQRRGNSO5MYCPAXGPH2OCSHOGHSQMQ/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/J5WPM42UR6XIBQNQPNQHM32X7S4LJTRX/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KBMVIQFKQDSSTHVVJWJ4QH6TW3JVB7XZ/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MH6ALXEQXIFQRQFNJ5Y2MJ5DFPIX76VN/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RN7JGC2LVHPEGSJYODFUV5FEKPBVG4D7/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SASRKYHT5ZFSVMJUQUG3UAEQRJYGJKAR/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZKORFJTRRDJCWBTJPISKKCVMMMJBIRLG/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZY2SLWOQR4ZURQ7UBRZ7JIX6H6F5JHJR/