observability team mailing list archive
-
observability team
-
Mailing list archive
-
Message #00010
Re: Fwd: [Ubuntu-docker-images] CVEs potentially affecting cortex and telegraf
Hi all,
Following up on this issue...
On Fri, Jun 9, 2023 at 12:41 PM Emilia Torino <emilia.torino@xxxxxxxxxxxxx>
wrote:
> Hi all,
>
> On 9/6/23 06:20, Cristovao Cordeiro wrote:
> > Sounds good to me. @Emilia Torino
> > <mailto:emilia.torino@xxxxxxxxxxxxx> do you need those repos to exist
> in
> > Docker Hub before you can onboard these?
>
> We don't. Since we don't scan the upstream based ROCKs (we only need
> this for the deb based ones).
>
> >
> > On Fri, Jun 9, 2023 at 10:42 AM Luca Bello <luca.bello@xxxxxxxxxxxxx
> > <mailto:luca.bello@xxxxxxxxxxxxx>> wrote:
> >
> > Hello everyone,
> >
> > as mentioned before, the ROCKs we have are all based on upstream
> > projects; the list is the following, as required:
> >
> > * Alertmanager (https://github.com/prometheus/alertmanager
> > <https://github.com/prometheus/alertmanager>)
> > * Grafana Agent (https://github.com/grafana/agent
> > <https://github.com/grafana/agent>)
> > * Grafana (https://github.com/grafana/grafana
> > <https://github.com/grafana/grafana>)
> > * Loki (https://github.com/grafana/loki
> > <https://github.com/grafana/loki>)
> > * Mimir (https://github.com/grafana/mimir
> > <https://github.com/grafana/mimir>)
> > * SeaweedFS (https://github.com/seaweedfs/seaweedfs
> > <https://github.com/seaweedfs/seaweedfs>)
> > * Traefik (https://github.com/traefik/traefik
> > <https://github.com/traefik/traefik>)
> >
> > Please let me know if any of these qualifies!
>
> I am not sure how urgent is this, but if you help me identify the Ubuntu
> source packages associated we can make this faster. Otherwise we can
> work on this next week.
>
Did you have a chance to check this?
>
> >
> >
> > Cheers,
> >
> > Luca
> >
> > On 31/05/2023 18:29, Cristovao Cordeiro wrote:
> >>
> >> So the only change from our side will be to add
> >> prometheus to the email notification subject (or I guess we
> >> can just
> >> simple replace it with "CVEs potentially affecting upstream
> based
> >> ROCKs"). Are the email recipients the same ones for the other
> >> ones?
> >>
> >>
> >> I think that would be fine for now. I'm reluctant to use the
> >> mailing list as a catch-all, but I think we can re-design this
> >> once there is an event bus at Canonical, so we rely less on emails.
> >>
> >> As for the other 10 ROCKs, @Luca Bello
> >> <mailto:luca.bello@xxxxxxxxxxxxx> let's first do the right due
> >> diligence on those, cause if a ROCK is not meant to be under the
> >> "ubuntu" namespace, then this security monitoring doesn't need to
> >> apply.
> >>
> >> On Wed, May 31, 2023 at 3:58 PM Emilia Torino
> >> <emilia.torino@xxxxxxxxxxxxx <mailto:emilia.torino@xxxxxxxxxxxxx>>
> >> wrote:
> >>
> >>
> >> Hi all,
> >>
> >> On 31/5/23 04:03, Luca Bello wrote:
> >> > Hi everyone,
> >> >
> >> > as said in the thread already, the prometheus image is
> >> indeed a ROCK
> >> > based on the *prometheus/prometheus* repository.
> >>
> >> That's very convenient. But just to be clear again, we are not
> >> "inspecting" the upstream based rocks the same way we do for
> >> the deb
> >> based ones. We are only monitoring new CVEs created for
> >> prometheus,
> >> protobuf and consul. So the only change from our side will be
> >> to add
> >> prometheus to the email notification subject (or I guess we
> >> can just
> >> simple replace it with "CVEs potentially affecting upstream
> based
> >> ROCKs"). Are the email recipients the same ones for the other
> >> ones?
> >>
> >> >
> >> > We're in the process of updating all of our ROCKs in a
> >> similar way,
> >> > meaning we want to make sure we are complying with any
> >> guidelines you
> >> > might have on them.
> >> > We have about 10 ROCKs at the moment, mostly based on
> >> upstream projects
> >> > just like this one. Should I share the full list, so you can
> >> track them?
> >>
> >> I am happy to do an analysis of this list to see if we can add
> >> more. The
> >> short answer would be that if the software is packaged as a
> >> deb in main
> >> or universe (which is the situation for prometheus, protobuf
> >> and consul)
> >> then we can simply add them. This is because the service is
> >> based on the
> >> existing CVE triage work the security team does, which is
> >> mainly for
> >> debs (although now is being extended to other ecosystems
> >> because of SOSS
> >> but it is still limited and mainly supporting NVIDIA software).
> >>
> >> A simple improvement though could be to map the projects to
> >> the rocks so
> >> you dont get a general notification, but one per ROCK as the
> >> USNs/debs
> >> based service does. We can work on adding this for the next
> cycle.
> >>
> >> >
> >> >
> >> > Cheers,
> >> >
> >> > Luca
> >> >
> >> >
> >> > On 31/05/2023 08:12, Cristovao Cordeiro wrote:
> >> >> Thank you for the swift action, Emilia!
> >> >>
> >> >> > Does this
> >> >> > relate to a question being asked some hours ago in
> >> >> > ~Security
> >> >>
> >>
> https://chat.canonical.com/canonical/pl/dchhoa7wxtyiper7rbk8h43mjo <
> https://chat.canonical.com/canonical/pl/dchhoa7wxtyiper7rbk8h43mjo>?
> >> >>
> >> >> Yes, precisely. @Luca Bello
> >> <mailto:luca.bello@xxxxxxxxxxxxx
> >> <mailto:luca.bello@xxxxxxxxxxxxx>> is in
> >> >> the process of updating that image and we're re-doing our
> >> due diligence.
> >> >> Luca can confirm, but this seems to be a ROCK based
> >> precisely on that
> >> >> upstream Prometheus repository that you are already
> monitoring
> >> >>
> >> (
> https://github.com/canonical/prometheus-rock/blob/main/rockcraft.yaml#L19
> <https://github.com/canonical/prometheus-rock/blob/main/rockcraft.yaml#L19
> >).
> >> >>
> >> >> Can we then add this image to your list of tracked ROCKs?
> >> >>
> >> >>
> >> >> On Tue, May 30, 2023 at 9:45 PM Emilia Torino
> >> >> <emilia.torino@xxxxxxxxxxxxx
> >> <mailto:emilia.torino@xxxxxxxxxxxxx>> wrote:
> >> >>
> >> >> Hey all,
> >> >>
> >> >> On 30/5/23 13:14, Emilia Torino wrote:
> >> >> > Hi Cristovao,
> >> >> >
> >> >> > On 30/5/23 09:41, Cristovao Cordeiro wrote:
> >> >> >> Hi Emilia,
> >> >> >>
> >> >> >> could you please confirm the `prometheus` container
> >> image is being
> >> >> >> monitored?
> >> >> >
> >> >> > I don't see prometheus being monitored by our
> >> services (not as a
> >> >> rock
> >> >> > based on upstream source code nor as a rock based on
> >> debs). Does
> >> >> this
> >> >> > relate to a question being asked some hours ago in
> >> >> > ~Security
> >> >>
> >>
> https://chat.canonical.com/canonical/pl/dchhoa7wxtyiper7rbk8h43mjo <
> https://chat.canonical.com/canonical/pl/dchhoa7wxtyiper7rbk8h43mjo>?
> >> >> >
> >> >> >
> >> >> > These emails' subject only mentions cortex and
> >> telegraf, but
> >> >> >> I can see "https://github.com/prometheus/prometheus
> >> <https://github.com/prometheus/prometheus>
> >> >> >> <https://github.com/prometheus/prometheus
> >> <https://github.com/prometheus/prometheus>>" in the body of the
> >> >> email.
> >> >> >
> >> >> > Apologize for the confusion, this sounds like a bug
> >> in the email
> >> >> content
> >> >> > generator code. I will take a look at it later.
> >> >>
> >> >> I investigated this bug and it should be solved
> >> already. There was an
> >> >> issue in the past, but we fixed it already. I thought
> >> it could be
> >> >> related but I see this notification you are asking is
> >> from March.
> >> >> If you
> >> >> check the last notification sent on Thu, May 4, 2:03 AM
> >> is correctly
> >> >> reporting about a single package (cortex only).
> >> >>
> >> >> Let me know if you have any further question.
> >> >>
> >> >> In this case, only a new
> >> >> > CVE affecting consul has been created in our tracker
> >> >> >
> >> >>
> >>
> https://git.launchpad.net/ubuntu-cve-tracker/tree/active/CVE-2023-0845 <
> https://git.launchpad.net/ubuntu-cve-tracker/tree/active/CVE-2023-0845>.
> >> >> >
> >> >> > Still, this does not mean cortex and telegraf are
> >> affected,
> >> >> since this
> >> >> > needs triage (i.e. understand if the code/version
> >> present in the
> >> >> rocks
> >> >> > are indeed vulnerable).
> >> >> >
> >> >> > FYI the reason why
> >> https://github.com/prometheus/prometheus
> >> <https://github.com/prometheus/prometheus> (and
> >> >> also
> >> >> > https://github.com/gogo/protobuf
> >> <https://github.com/gogo/protobuf>) are listed in this email,
> is
> >> >> because
> >> >> > these 3 are the *only* upstream projects we are
> >> monitoring
> >> >> (because of
> >> >> > the bug the 3 are incorrectly listed in the email,
> >> only consul
> >> >> should
> >> >> > be). In other words, we are not scanning every
> >> upstream source
> >> >> project
> >> >> > which is used to build cortex and telegraf.
> >> >> >
> >> >> > There are reasons why this service is very limited,
> >> and I hope this
> >> >> > is/was clear. Let me know if you need more information.
> >> >> >
> >> >> > Emilia
> >> >> >
> >> >> >
> >> >> >>
> >> >> >> ---------- Forwarded message ---------
> >> >> >> From: <security-team-toolbox-bot@xxxxxxxxxxxxx
> >> <mailto:security-team-toolbox-bot@xxxxxxxxxxxxx>
> >> >> >> <mailto:security-team-toolbox-bot@xxxxxxxxxxxxx
> >> <mailto:security-team-toolbox-bot@xxxxxxxxxxxxx>>>
> >> >> >> Date: Sat, Mar 11, 2023 at 6:03 AM
> >> >> >> Subject: [Ubuntu-docker-images] CVEs potentially
> >> affecting
> >> >> cortex and
> >> >> >> telegraf
> >> >> >> To: <ubuntu-docker-images@xxxxxxxxxxxxxxxxxxx
> >> <mailto:ubuntu-docker-images@xxxxxxxxxxxxxxxxxxx>
> >> >> >> <mailto:ubuntu-docker-images@xxxxxxxxxxxxxxxxxxx
> >> <mailto:ubuntu-docker-images@xxxxxxxxxxxxxxxxxxx>>>,
> >> >> >> <sergio.durigan@xxxxxxxxxxxxx
> >> <mailto:sergio.durigan@xxxxxxxxxxxxx>
> >> >> <mailto:sergio.durigan@xxxxxxxxxxxxx
> >> <mailto:sergio.durigan@xxxxxxxxxxxxx>>>,
> >> >> >> <emilia.torino@xxxxxxxxxxxxx
> >> <mailto:emilia.torino@xxxxxxxxxxxxx>
> >> >> <mailto:emilia.torino@xxxxxxxxxxxxx
> >> <mailto:emilia.torino@xxxxxxxxxxxxx>>>,
> >> >> >> <alex.murray@xxxxxxxxxxxxx
> >> <mailto:alex.murray@xxxxxxxxxxxxx>
> >> <mailto:alex.murray@xxxxxxxxxxxxx
> >> <mailto:alex.murray@xxxxxxxxxxxxx>>>,
> >> >> >> <simon.aronsson@xxxxxxxxxxxxx
> >> <mailto:simon.aronsson@xxxxxxxxxxxxx>
> >> >> <mailto:simon.aronsson@xxxxxxxxxxxxx
> >> <mailto:simon.aronsson@xxxxxxxxxxxxx>>>,
> >> >> >> <dylan.stephano-shachter@xxxxxxxxxxxxx
> >> <mailto:dylan.stephano-shachter@xxxxxxxxxxxxx>
> >> >> >> <mailto:dylan.stephano-shachter@xxxxxxxxxxxxx
> >> <mailto:dylan.stephano-shachter@xxxxxxxxxxxxx>>>
> >> >> >>
> >> >> >>
> >> >> >> New CVEs affecting packages used to build upstream
> >> based rocks
> >> >> have been
> >> >> >> created in the Ubuntu CVE tracker:
> >> >> >>
> >> >> >> * https://github.com/gogo/protobuf
> >> <https://github.com/gogo/protobuf>
> >> >> <https://github.com/gogo/protobuf
> >> <https://github.com/gogo/protobuf>>:
> >> >> >> * https://github.com/hashicorp/consul
> >> <https://github.com/hashicorp/consul>
> >> >> >> <https://github.com/hashicorp/consul
> >> <https://github.com/hashicorp/consul>>: CVE-2023-0845
> >> >> >> * https://github.com/prometheus/prometheus
> >> <https://github.com/prometheus/prometheus>
> >> >> >> <https://github.com/prometheus/prometheus
> >> <https://github.com/prometheus/prometheus>>:
> >> >> >>
> >> >> >> Please review your rock to understand if it is
> >> affected by
> >> >> these CVEs.
> >> >> >>
> >> >> >> Thank you for your rock and for attending to this
> >> matter.
> >> >> >>
> >> >> >> References:
> >> >> >>
> >> >>
> >>
> https://git.launchpad.net/ubuntu-cve-tracker/tree/active/CVE-2023-0845 <
> https://git.launchpad.net/ubuntu-cve-tracker/tree/active/CVE-2023-0845>
> >> >> >>
> >> >>
> >> <
> https://git.launchpad.net/ubuntu-cve-tracker/tree/active/CVE-2023-0845 <
> https://git.launchpad.net/ubuntu-cve-tracker/tree/active/CVE-2023-0845>>
> >> >> >>
> >> >> >>
> >> >> >>
> >> >> >> --
> >> >> >> Mailing list:
> >> https://launchpad.net/~ubuntu-docker-images
> >> <https://launchpad.net/~ubuntu-docker-images>
> >> >> >> <https://launchpad.net/~ubuntu-docker-images
> >> <https://launchpad.net/~ubuntu-docker-images>>
> >> >> >> Post to :
> >> ubuntu-docker-images@xxxxxxxxxxxxxxxxxxx
> >> <mailto:ubuntu-docker-images@xxxxxxxxxxxxxxxxxxx>
> >> >> >> <mailto:ubuntu-docker-images@xxxxxxxxxxxxxxxxxxx
> >> <mailto:ubuntu-docker-images@xxxxxxxxxxxxxxxxxxx>>
> >> >> >> Unsubscribe :
> >> https://launchpad.net/~ubuntu-docker-images
> >> <https://launchpad.net/~ubuntu-docker-images>
> >> >> >> <https://launchpad.net/~ubuntu-docker-images
> >> <https://launchpad.net/~ubuntu-docker-images>>
> >> >> >> More help : https://help.launchpad.net/ListHelp
> >> <https://help.launchpad.net/ListHelp>
> >> >> >> <https://help.launchpad.net/ListHelp
> >> <https://help.launchpad.net/ListHelp>>
> >> >> >>
> >> >> >>
> >> >> >> --
> >> >> >> Cris
> >> >>
> >> >>
> >> >>
> >> >> --
> >> >> Cris
> >>
> >>
> >>
> >> --
> >> Cris
> > ____
> >
> >
> >
> > --
> > Cris
>
Follow ups
References
-
Fwd: [Ubuntu-docker-images] CVEs potentially affecting cortex and telegraf
From: Cristovao Cordeiro, 2023-05-30
-
Re: Fwd: [Ubuntu-docker-images] CVEs potentially affecting cortex and telegraf
From: Emilia Torino, 2023-05-30
-
Re: Fwd: [Ubuntu-docker-images] CVEs potentially affecting cortex and telegraf
From: Emilia Torino, 2023-05-30
-
Re: Fwd: [Ubuntu-docker-images] CVEs potentially affecting cortex and telegraf
From: Cristovao Cordeiro, 2023-05-31
-
Re: Fwd: [Ubuntu-docker-images] CVEs potentially affecting cortex and telegraf
From: Luca Bello, 2023-05-31
-
Re: Fwd: [Ubuntu-docker-images] CVEs potentially affecting cortex and telegraf
From: Emilia Torino, 2023-05-31
-
Re: Fwd: [Ubuntu-docker-images] CVEs potentially affecting cortex and telegraf
From: Cristovao Cordeiro, 2023-05-31
-
Re: Fwd: [Ubuntu-docker-images] CVEs potentially affecting cortex and telegraf
From: Luca Bello, 2023-06-09
-
Re: Fwd: [Ubuntu-docker-images] CVEs potentially affecting cortex and telegraf
From: Cristovao Cordeiro, 2023-06-09
-
Re: Fwd: [Ubuntu-docker-images] CVEs potentially affecting cortex and telegraf
From: Emilia Torino, 2023-06-09
