observability team mailing list archive

Thread
Date

Re: Fwd: [Ubuntu-docker-images] CVEs potentially affecting cortex and telegraf

To: Emilia Torino <emilia.torino@xxxxxxxxxxxxx>
From: Cristovao Cordeiro <cristovao.cordeiro@xxxxxxxxxxxxx>
Date: Wed, 31 May 2023 18:29:15 +0200
Cc: observability@xxxxxxxxxxxxxxxxxxx, Alex Murray <alex.murray@xxxxxxxxxxxxx>, david.lane@xxxxxxxxxxxxx
In-reply-to: <e1a6cc1e-70df-7267-c461-464f73f7cb57@canonical.com>

>
> So the only change from our side will be to add
> prometheus to the email notification subject (or I guess we can just
> simple replace it with "CVEs potentially affecting upstream based
> ROCKs"). Are the email recipients the same ones for the other ones?


I think that would be fine for now. I'm reluctant to use the mailing list
as a catch-all, but I think we can re-design this once there is an event
bus at Canonical, so we rely less on emails.

As for the other 10 ROCKs, @Luca Bello <luca.bello@xxxxxxxxxxxxx> let's
first do the right due diligence on those, cause if a ROCK is not meant to
be under the "ubuntu" namespace, then this security monitoring doesn't need
to apply.

On Wed, May 31, 2023 at 3:58 PM Emilia Torino <emilia.torino@xxxxxxxxxxxxx>
wrote:

>
> Hi all,
>
> On 31/5/23 04:03, Luca Bello wrote:
> > Hi everyone,
> >
> > as said in the thread already, the prometheus image is indeed a ROCK
> > based on the *prometheus/prometheus* repository.
>
> That's very convenient. But just to be clear again, we are not
> "inspecting" the upstream based rocks the same way we do for the deb
> based ones. We are only monitoring new CVEs created for prometheus,
> protobuf and consul. So the only change from our side will be to add
> prometheus to the email notification subject (or I guess we can just
> simple replace it with "CVEs potentially affecting upstream based
> ROCKs"). Are the email recipients the same ones for the other ones?
>
> >
> > We're in the process of updating all of our ROCKs in a similar way,
> > meaning we want to make sure we are complying with any guidelines you
> > might have on them.
> > We have about 10 ROCKs at the moment, mostly based on upstream projects
> > just like this one. Should I share the full list, so you can track them?
>
> I am happy to do an analysis of this list to see if we can add more. The
> short answer would be that if the software is packaged as a deb in main
> or universe (which is the situation for prometheus, protobuf and consul)
> then we can simply add them. This is because the service is based on the
> existing CVE triage work the security team does, which is mainly for
> debs (although now is being extended to other ecosystems because of SOSS
> but it is still limited and mainly supporting NVIDIA software).
>
> A simple improvement though could be to map the projects to the rocks so
> you dont get a general notification, but one per ROCK as the USNs/debs
> based service does. We can work on adding this for the next cycle.
>
> >
> >
> > Cheers,
> >
> > Luca
> >
> >
> > On 31/05/2023 08:12, Cristovao Cordeiro wrote:
> >> Thank you for the swift action, Emilia!
> >>
> >> > Does this
> >> > relate to a question being asked some hours ago in
> >> > ~Security
> >> https://chat.canonical.com/canonical/pl/dchhoa7wxtyiper7rbk8h43mjo?
> >>
> >> Yes, precisely. @Luca Bello <mailto:luca.bello@xxxxxxxxxxxxx> is in
> >> the process of updating that image and we're re-doing our due diligence.
> >> Luca can confirm, but this seems to be a ROCK based precisely on that
> >> upstream Prometheus repository that you are already monitoring
> >> (
> https://github.com/canonical/prometheus-rock/blob/main/rockcraft.yaml#L19
> ).
> >>
> >> Can we then add this image to your list of tracked ROCKs?
> >>
> >>
> >> On Tue, May 30, 2023 at 9:45 PM Emilia Torino
> >> <emilia.torino@xxxxxxxxxxxxx> wrote:
> >>
> >>     Hey all,
> >>
> >>     On 30/5/23 13:14, Emilia Torino wrote:
> >>     > Hi Cristovao,
> >>     >
> >>     > On 30/5/23 09:41, Cristovao Cordeiro wrote:
> >>     >> Hi Emilia,
> >>     >>
> >>     >> could you please confirm the `prometheus` container image is
> being
> >>     >> monitored?
> >>     >
> >>     > I don't see prometheus being monitored by our services (not as a
> >>     rock
> >>     > based on upstream source code nor as a rock based on debs). Does
> >>     this
> >>     > relate to a question being asked some hours ago in
> >>     > ~Security
> >>     https://chat.canonical.com/canonical/pl/dchhoa7wxtyiper7rbk8h43mjo?
> >>     >
> >>     >
> >>     > These emails' subject only mentions cortex and telegraf, but
> >>     >> I can see "https://github.com/prometheus/prometheus
> >>     >> <https://github.com/prometheus/prometheus>" in the body of the
> >>     email.
> >>     >
> >>     > Apologize for the confusion, this sounds like a bug in the email
> >>     content
> >>     > generator code. I will take a look at it later.
> >>
> >>     I investigated this bug and it should be solved already. There was
> an
> >>     issue in the past, but we fixed it already. I thought it could be
> >>     related but I see this notification you are asking is from March.
> >>     If you
> >>     check the last notification sent on Thu, May 4, 2:03 AM is correctly
> >>     reporting about a single package (cortex only).
> >>
> >>     Let me know if you have any further question.
> >>
> >>       In this case, only a new
> >>     > CVE affecting consul has been created in our tracker
> >>     >
> >>
> https://git.launchpad.net/ubuntu-cve-tracker/tree/active/CVE-2023-0845.
> >>     >
> >>     > Still, this does not mean cortex and telegraf are affected,
> >>     since this
> >>     > needs triage (i.e. understand if the code/version present in the
> >>     rocks
> >>     > are indeed vulnerable).
> >>     >
> >>     > FYI the reason why https://github.com/prometheus/prometheus (and
> >>     also
> >>     > https://github.com/gogo/protobuf) are listed in this email, is
> >>     because
> >>     > these 3 are the *only* upstream projects we are monitoring
> >>     (because of
> >>     > the bug the 3 are incorrectly listed in the email, only consul
> >>     should
> >>     > be). In other words, we are not scanning every upstream source
> >>     project
> >>     > which is used to build cortex and telegraf.
> >>     >
> >>     > There are reasons why this service is very limited, and I hope
> this
> >>     > is/was clear. Let me know if you need more information.
> >>     >
> >>     > Emilia
> >>     >
> >>     >
> >>     >>
> >>     >> ---------- Forwarded message ---------
> >>     >> From: <security-team-toolbox-bot@xxxxxxxxxxxxx
> >>     >> <mailto:security-team-toolbox-bot@xxxxxxxxxxxxx>>
> >>     >> Date: Sat, Mar 11, 2023 at 6:03 AM
> >>     >> Subject: [Ubuntu-docker-images] CVEs potentially affecting
> >>     cortex and
> >>     >> telegraf
> >>     >> To: <ubuntu-docker-images@xxxxxxxxxxxxxxxxxxx
> >>     >> <mailto:ubuntu-docker-images@xxxxxxxxxxxxxxxxxxx>>,
> >>     >> <sergio.durigan@xxxxxxxxxxxxx
> >>     <mailto:sergio.durigan@xxxxxxxxxxxxx>>,
> >>     >> <emilia.torino@xxxxxxxxxxxxx
> >>     <mailto:emilia.torino@xxxxxxxxxxxxx>>,
> >>     >> <alex.murray@xxxxxxxxxxxxx <mailto:alex.murray@xxxxxxxxxxxxx>>,
> >>     >> <simon.aronsson@xxxxxxxxxxxxx
> >>     <mailto:simon.aronsson@xxxxxxxxxxxxx>>,
> >>     >> <dylan.stephano-shachter@xxxxxxxxxxxxx
> >>     >> <mailto:dylan.stephano-shachter@xxxxxxxxxxxxx>>
> >>     >>
> >>     >>
> >>     >> New CVEs affecting packages used to build upstream based rocks
> >>     have been
> >>     >> created in the Ubuntu CVE tracker:
> >>     >>
> >>     >> * https://github.com/gogo/protobuf
> >>     <https://github.com/gogo/protobuf>:
> >>     >> * https://github.com/hashicorp/consul
> >>     >> <https://github.com/hashicorp/consul>: CVE-2023-0845
> >>     >> * https://github.com/prometheus/prometheus
> >>     >> <https://github.com/prometheus/prometheus>:
> >>     >>
> >>     >> Please review your rock to understand if it is affected by
> >>     these CVEs.
> >>     >>
> >>     >> Thank you for your rock and for attending to this matter.
> >>     >>
> >>     >> References:
> >>     >>
> >>
> https://git.launchpad.net/ubuntu-cve-tracker/tree/active/CVE-2023-0845
> >>     >>
> >>     <
> https://git.launchpad.net/ubuntu-cve-tracker/tree/active/CVE-2023-0845>
> >>     >>
> >>     >>
> >>     >>
> >>     >> --
> >>     >> Mailing list: https://launchpad.net/~ubuntu-docker-images
> >>     >> <https://launchpad.net/~ubuntu-docker-images>
> >>     >> Post to     : ubuntu-docker-images@xxxxxxxxxxxxxxxxxxx
> >>     >> <mailto:ubuntu-docker-images@xxxxxxxxxxxxxxxxxxx>
> >>     >> Unsubscribe : https://launchpad.net/~ubuntu-docker-images
> >>     >> <https://launchpad.net/~ubuntu-docker-images>
> >>     >> More help   : https://help.launchpad.net/ListHelp
> >>     >> <https://help.launchpad.net/ListHelp>
> >>     >>
> >>     >>
> >>     >> --
> >>     >> Cris
> >>
> >>
> >>
> >> --
> >> Cris
>


-- 
Cris

Follow ups

Re: Fwd: [Ubuntu-docker-images] CVEs potentially affecting cortex and telegraf
From: Luca Bello, 2023-06-09

References

Fwd: [Ubuntu-docker-images] CVEs potentially affecting cortex and telegraf
From: Cristovao Cordeiro, 2023-05-30
Re: Fwd: [Ubuntu-docker-images] CVEs potentially affecting cortex and telegraf
From: Emilia Torino, 2023-05-30
Re: Fwd: [Ubuntu-docker-images] CVEs potentially affecting cortex and telegraf
From: Emilia Torino, 2023-05-30
Re: Fwd: [Ubuntu-docker-images] CVEs potentially affecting cortex and telegraf
From: Cristovao Cordeiro, 2023-05-31
Re: Fwd: [Ubuntu-docker-images] CVEs potentially affecting cortex and telegraf
From: Luca Bello, 2023-05-31
Re: Fwd: [Ubuntu-docker-images] CVEs potentially affecting cortex and telegraf
From: Emilia Torino, 2023-05-31