prometheus 资源管理错误漏洞

CVE编号

CVE-2022-21698

利用情况

暂无

补丁情况

官方补丁

披露时间

2022-02-16

Prometheus是一款使用Go语言编写的、用于记录使用HTTP拉模型构建的时间序列数据库中实时指标的开源软件。
prometheus client golang存在资源管理错误漏洞，该漏洞源于网络系统或产品对系统资源（如内存、磁盘空间、文件等）的管理不当。

目前厂商已发布升级补丁以修复漏洞，补丁获取链接：

https://github.com/prometheus/client_golang/security/advisories/GHSA-cg3q-j54f-5p7p

参考链接
https://github.com/prometheus/client_golang/pull/962
https://github.com/prometheus/client_golang/pull/987
https://github.com/prometheus/client_golang/releases/tag/v1.11.1
https://github.com/prometheus/client_golang/security/advisories/GHSA-cg3q-j54f-5p7p
https://lists.fedoraproject.org/archives/list/[email protected]...
https://lists.fedoraproject.org/archives/list/[email protected]...
https://lists.fedoraproject.org/archives/list/[email protected]...
https://lists.fedoraproject.org/archives/list/[email protected]...
https://lists.fedoraproject.org/archives/list/[email protected]...
https://lists.fedoraproject.org/archives/list/[email protected]...

1
#	类型	厂商	产品	版本	影响面
	运行在以下环境
	应用	prometheus	client_golang	*		Up to (excluding) 1.11.1
	运行在以下环境
	系统	alpine_3.15	buildah	*		Up to (excluding) 1.23.4-r0
	运行在以下环境
	系统	debian_10	golang-github-prometheus-client-golang	*		Up to (excluding) 0.9.0-1
	运行在以下环境
	系统	debian_11	golang-github-prometheus-client-golang	*		Up to (excluding) 1.9.0-2
	运行在以下环境
	系统	debian_12	golang-github-prometheus-client-golang	*		Up to (excluding) 1.11.0-3
	运行在以下环境
	系统	debian_9	golang-github-prometheus-client-golang	*		Up to (excluding) 0.8.0-1
	运行在以下环境
	系统	debian_sid	golang-github-prometheus-client-golang	*		Up to (excluding) 1.11.0-3
	运行在以下环境
	系统	fedora_34	golang-github-prometheus-client-golang	*		Up to (excluding) 1.7.0-1.fc34
	运行在以下环境
	系统	fedora_35	golang-github-prometheus-client-golang	*		Up to (excluding) 1.7.0-1.fc35
	运行在以下环境
	系统	fedora_36	golang-github-prometheus-client-golang	*		Up to (excluding) 1.7.0-1.fc36

CWE-ID 漏洞类型 CWE-400 未加控制的资源消耗（资源穷尽） CWE-772 对已超过有效生命周期的资源丧失索引

还没有评论，来说两句吧...