observability team mailing list archive
-
observability team
-
Mailing list archive
-
Message #00012
Re: Fwd: [Ubuntu-docker-images] CVEs potentially affecting cortex and telegraf
Hi Luca,
On Tue, Jun 27, 2023 at 5:11 AM Luca Bello <luca.bello@xxxxxxxxxxxxx> wrote:
> Hi Emilia,
>
> I did not look into it as our short-term priorities changed a little bit;
> if you need anything else from my side please let me know!
>
I did a search over the provided sources and only found one case where we
have the project as a deb in the archive, which is alertmanager:
https://launchpad.net/ubuntu/+source/prometheus-alertmanager
So unless you can confirm there are other debs in the archive matching the
remaining upstream projects, alertmanager is the only one we can add to our
CVEs monitoring service. I can add it right now.
Let me know if you have any questions.
Emilia
>
> Cheers,
>
> Luca
> On 22/06/2023 17:37, Emilia Torino wrote:
>
> Hi all,
>
> Following up on this issue...
>
> On Fri, Jun 9, 2023 at 12:41 PM Emilia Torino <emilia.torino@xxxxxxxxxxxxx>
> wrote:
>
>> Hi all,
>>
>> On 9/6/23 06:20, Cristovao Cordeiro wrote:
>> > Sounds good to me. @Emilia Torino
>> > <mailto:emilia.torino@xxxxxxxxxxxxx> do you need those repos to exist
>> in
>> > Docker Hub before you can onboard these?
>>
>> We don't. Since we don't scan the upstream based ROCKs (we only need
>> this for the deb based ones).
>>
>> >
>> > On Fri, Jun 9, 2023 at 10:42 AM Luca Bello <luca.bello@xxxxxxxxxxxxx
>> > <mailto:luca.bello@xxxxxxxxxxxxx>> wrote:
>> >
>> > Hello everyone,
>> >
>> > as mentioned before, the ROCKs we have are all based on upstream
>> > projects; the list is the following, as required:
>> >
>> > * Alertmanager (https://github.com/prometheus/alertmanager
>> > <https://github.com/prometheus/alertmanager>)
>> > * Grafana Agent (https://github.com/grafana/agent
>> > <https://github.com/grafana/agent>)
>> > * Grafana (https://github.com/grafana/grafana
>> > <https://github.com/grafana/grafana>)
>> > * Loki (https://github.com/grafana/loki
>> > <https://github.com/grafana/loki>)
>> > * Mimir (https://github.com/grafana/mimir
>> > <https://github.com/grafana/mimir>)
>> > * SeaweedFS (https://github.com/seaweedfs/seaweedfs
>> > <https://github.com/seaweedfs/seaweedfs>)
>> > * Traefik (https://github.com/traefik/traefik
>> > <https://github.com/traefik/traefik>)
>> >
>> > Please let me know if any of these qualifies!
>>
>> I am not sure how urgent is this, but if you help me identify the Ubuntu
>> source packages associated we can make this faster. Otherwise we can
>> work on this next week.
>>
>
> Did you have a chance to check this?
>
>
>>
>> >
>> >
>> > Cheers,
>> >
>> > Luca
>> >
>> > On 31/05/2023 18:29, Cristovao Cordeiro wrote:
>> >>
>> >> So the only change from our side will be to add
>> >> prometheus to the email notification subject (or I guess we
>> >> can just
>> >> simple replace it with "CVEs potentially affecting upstream
>> based
>> >> ROCKs"). Are the email recipients the same ones for the other
>> >> ones?
>> >>
>> >>
>> >> I think that would be fine for now. I'm reluctant to use the
>> >> mailing list as a catch-all, but I think we can re-design this
>> >> once there is an event bus at Canonical, so we rely less on emails.
>> >>
>> >> As for the other 10 ROCKs, @Luca Bello
>> >> <mailto:luca.bello@xxxxxxxxxxxxx> let's first do the right due
>> >> diligence on those, cause if a ROCK is not meant to be under the
>> >> "ubuntu" namespace, then this security monitoring doesn't need to
>> >> apply.
>> >>
>> >> On Wed, May 31, 2023 at 3:58 PM Emilia Torino
>> >> <emilia.torino@xxxxxxxxxxxxx <mailto:emilia.torino@xxxxxxxxxxxxx>>
>> >> wrote:
>> >>
>> >>
>> >> Hi all,
>> >>
>> >> On 31/5/23 04:03, Luca Bello wrote:
>> >> > Hi everyone,
>> >> >
>> >> > as said in the thread already, the prometheus image is
>> >> indeed a ROCK
>> >> > based on the *prometheus/prometheus* repository.
>> >>
>> >> That's very convenient. But just to be clear again, we are not
>> >> "inspecting" the upstream based rocks the same way we do for
>> >> the deb
>> >> based ones. We are only monitoring new CVEs created for
>> >> prometheus,
>> >> protobuf and consul. So the only change from our side will be
>> >> to add
>> >> prometheus to the email notification subject (or I guess we
>> >> can just
>> >> simple replace it with "CVEs potentially affecting upstream
>> based
>> >> ROCKs"). Are the email recipients the same ones for the other
>> >> ones?
>> >>
>> >> >
>> >> > We're in the process of updating all of our ROCKs in a
>> >> similar way,
>> >> > meaning we want to make sure we are complying with any
>> >> guidelines you
>> >> > might have on them.
>> >> > We have about 10 ROCKs at the moment, mostly based on
>> >> upstream projects
>> >> > just like this one. Should I share the full list, so you can
>> >> track them?
>> >>
>> >> I am happy to do an analysis of this list to see if we can add
>> >> more. The
>> >> short answer would be that if the software is packaged as a
>> >> deb in main
>> >> or universe (which is the situation for prometheus, protobuf
>> >> and consul)
>> >> then we can simply add them. This is because the service is
>> >> based on the
>> >> existing CVE triage work the security team does, which is
>> >> mainly for
>> >> debs (although now is being extended to other ecosystems
>> >> because of SOSS
>> >> but it is still limited and mainly supporting NVIDIA software).
>> >>
>> >> A simple improvement though could be to map the projects to
>> >> the rocks so
>> >> you dont get a general notification, but one per ROCK as the
>> >> USNs/debs
>> >> based service does. We can work on adding this for the next
>> cycle.
>> >>
>> >> >
>> >> >
>> >> > Cheers,
>> >> >
>> >> > Luca
>> >> >
>> >> >
>> >> > On 31/05/2023 08:12, Cristovao Cordeiro wrote:
>> >> >> Thank you for the swift action, Emilia!
>> >> >>
>> >> >> > Does this
>> >> >> > relate to a question being asked some hours ago in
>> >> >> > ~Security
>> >> >>
>> >>
>> https://chat.canonical.com/canonical/pl/dchhoa7wxtyiper7rbk8h43mjo <
>> https://chat.canonical.com/canonical/pl/dchhoa7wxtyiper7rbk8h43mjo>?
>> >> >>
>> >> >> Yes, precisely. @Luca Bello
>> >> <mailto:luca.bello@xxxxxxxxxxxxx
>> >> <mailto:luca.bello@xxxxxxxxxxxxx>> is in
>> >> >> the process of updating that image and we're re-doing our
>> >> due diligence.
>> >> >> Luca can confirm, but this seems to be a ROCK based
>> >> precisely on that
>> >> >> upstream Prometheus repository that you are already
>> monitoring
>> >> >>
>> >> (
>> https://github.com/canonical/prometheus-rock/blob/main/rockcraft.yaml#L19
>> <
>> https://github.com/canonical/prometheus-rock/blob/main/rockcraft.yaml#L19
>> >).
>> >> >>
>> >> >> Can we then add this image to your list of tracked ROCKs?
>> >> >>
>> >> >>
>> >> >> On Tue, May 30, 2023 at 9:45 PM Emilia Torino
>> >> >> <emilia.torino@xxxxxxxxxxxxx
>> >> <mailto:emilia.torino@xxxxxxxxxxxxx>> wrote:
>> >> >>
>> >> >> Hey all,
>> >> >>
>> >> >> On 30/5/23 13:14, Emilia Torino wrote:
>> >> >> > Hi Cristovao,
>> >> >> >
>> >> >> > On 30/5/23 09:41, Cristovao Cordeiro wrote:
>> >> >> >> Hi Emilia,
>> >> >> >>
>> >> >> >> could you please confirm the `prometheus` container
>> >> image is being
>> >> >> >> monitored?
>> >> >> >
>> >> >> > I don't see prometheus being monitored by our
>> >> services (not as a
>> >> >> rock
>> >> >> > based on upstream source code nor as a rock based on
>> >> debs). Does
>> >> >> this
>> >> >> > relate to a question being asked some hours ago in
>> >> >> > ~Security
>> >> >>
>> >>
>> https://chat.canonical.com/canonical/pl/dchhoa7wxtyiper7rbk8h43mjo <
>> https://chat.canonical.com/canonical/pl/dchhoa7wxtyiper7rbk8h43mjo>?
>> >> >> >
>> >> >> >
>> >> >> > These emails' subject only mentions cortex and
>> >> telegraf, but
>> >> >> >> I can see "https://github.com/prometheus/prometheus
>> >> <https://github.com/prometheus/prometheus>
>> >> >> >> <https://github.com/prometheus/prometheus
>> >> <https://github.com/prometheus/prometheus>>" in the body of
>> the
>> >> >> email.
>> >> >> >
>> >> >> > Apologize for the confusion, this sounds like a bug
>> >> in the email
>> >> >> content
>> >> >> > generator code. I will take a look at it later.
>> >> >>
>> >> >> I investigated this bug and it should be solved
>> >> already. There was an
>> >> >> issue in the past, but we fixed it already. I thought
>> >> it could be
>> >> >> related but I see this notification you are asking is
>> >> from March.
>> >> >> If you
>> >> >> check the last notification sent on Thu, May 4, 2:03 AM
>> >> is correctly
>> >> >> reporting about a single package (cortex only).
>> >> >>
>> >> >> Let me know if you have any further question.
>> >> >>
>> >> >> In this case, only a new
>> >> >> > CVE affecting consul has been created in our tracker
>> >> >> >
>> >> >>
>> >>
>> https://git.launchpad.net/ubuntu-cve-tracker/tree/active/CVE-2023-0845 <
>> https://git.launchpad.net/ubuntu-cve-tracker/tree/active/CVE-2023-0845>.
>> >> >> >
>> >> >> > Still, this does not mean cortex and telegraf are
>> >> affected,
>> >> >> since this
>> >> >> > needs triage (i.e. understand if the code/version
>> >> present in the
>> >> >> rocks
>> >> >> > are indeed vulnerable).
>> >> >> >
>> >> >> > FYI the reason why
>> >> https://github.com/prometheus/prometheus
>> >> <https://github.com/prometheus/prometheus> (and
>> >> >> also
>> >> >> > https://github.com/gogo/protobuf
>> >> <https://github.com/gogo/protobuf>) are listed in this email,
>> is
>> >> >> because
>> >> >> > these 3 are the *only* upstream projects we are
>> >> monitoring
>> >> >> (because of
>> >> >> > the bug the 3 are incorrectly listed in the email,
>> >> only consul
>> >> >> should
>> >> >> > be). In other words, we are not scanning every
>> >> upstream source
>> >> >> project
>> >> >> > which is used to build cortex and telegraf.
>> >> >> >
>> >> >> > There are reasons why this service is very limited,
>> >> and I hope this
>> >> >> > is/was clear. Let me know if you need more
>> information.
>> >> >> >
>> >> >> > Emilia
>> >> >> >
>> >> >> >
>> >> >> >>
>> >> >> >> ---------- Forwarded message ---------
>> >> >> >> From: <security-team-toolbox-bot@xxxxxxxxxxxxx
>> >> <mailto:security-team-toolbox-bot@xxxxxxxxxxxxx>
>> >> >> >> <mailto:security-team-toolbox-bot@xxxxxxxxxxxxx
>> >> <mailto:security-team-toolbox-bot@xxxxxxxxxxxxx>>>
>> >> >> >> Date: Sat, Mar 11, 2023 at 6:03 AM
>> >> >> >> Subject: [Ubuntu-docker-images] CVEs potentially
>> >> affecting
>> >> >> cortex and
>> >> >> >> telegraf
>> >> >> >> To: <ubuntu-docker-images@xxxxxxxxxxxxxxxxxxx
>> >> <mailto:ubuntu-docker-images@xxxxxxxxxxxxxxxxxxx>
>> >> >> >> <mailto:ubuntu-docker-images@xxxxxxxxxxxxxxxxxxx
>> >> <mailto:ubuntu-docker-images@xxxxxxxxxxxxxxxxxxx>>>,
>> >> >> >> <sergio.durigan@xxxxxxxxxxxxx
>> >> <mailto:sergio.durigan@xxxxxxxxxxxxx>
>> >> >> <mailto:sergio.durigan@xxxxxxxxxxxxx
>> >> <mailto:sergio.durigan@xxxxxxxxxxxxx>>>,
>> >> >> >> <emilia.torino@xxxxxxxxxxxxx
>> >> <mailto:emilia.torino@xxxxxxxxxxxxx>
>> >> >> <mailto:emilia.torino@xxxxxxxxxxxxx
>> >> <mailto:emilia.torino@xxxxxxxxxxxxx>>>,
>> >> >> >> <alex.murray@xxxxxxxxxxxxx
>> >> <mailto:alex.murray@xxxxxxxxxxxxx>
>> >> <mailto:alex.murray@xxxxxxxxxxxxx
>> >> <mailto:alex.murray@xxxxxxxxxxxxx>>>,
>> >> >> >> <simon.aronsson@xxxxxxxxxxxxx
>> >> <mailto:simon.aronsson@xxxxxxxxxxxxx>
>> >> >> <mailto:simon.aronsson@xxxxxxxxxxxxx
>> >> <mailto:simon.aronsson@xxxxxxxxxxxxx>>>,
>> >> >> >> <dylan.stephano-shachter@xxxxxxxxxxxxx
>> >> <mailto:dylan.stephano-shachter@xxxxxxxxxxxxx>
>> >> >> >> <mailto:dylan.stephano-shachter@xxxxxxxxxxxxx
>> >> <mailto:dylan.stephano-shachter@xxxxxxxxxxxxx>>>
>> >> >> >>
>> >> >> >>
>> >> >> >> New CVEs affecting packages used to build upstream
>> >> based rocks
>> >> >> have been
>> >> >> >> created in the Ubuntu CVE tracker:
>> >> >> >>
>> >> >> >> * https://github.com/gogo/protobuf
>> >> <https://github.com/gogo/protobuf>
>> >> >> <https://github.com/gogo/protobuf
>> >> <https://github.com/gogo/protobuf>>:
>> >> >> >> * https://github.com/hashicorp/consul
>> >> <https://github.com/hashicorp/consul>
>> >> >> >> <https://github.com/hashicorp/consul
>> >> <https://github.com/hashicorp/consul>>: CVE-2023-0845
>> >> >> >> * https://github.com/prometheus/prometheus
>> >> <https://github.com/prometheus/prometheus>
>> >> >> >> <https://github.com/prometheus/prometheus
>> >> <https://github.com/prometheus/prometheus>>:
>> >> >> >>
>> >> >> >> Please review your rock to understand if it is
>> >> affected by
>> >> >> these CVEs.
>> >> >> >>
>> >> >> >> Thank you for your rock and for attending to this
>> >> matter.
>> >> >> >>
>> >> >> >> References:
>> >> >> >>
>> >> >>
>> >>
>> https://git.launchpad.net/ubuntu-cve-tracker/tree/active/CVE-2023-0845 <
>> https://git.launchpad.net/ubuntu-cve-tracker/tree/active/CVE-2023-0845>
>> >> >> >>
>> >> >>
>> >> <
>> https://git.launchpad.net/ubuntu-cve-tracker/tree/active/CVE-2023-0845 <
>> https://git.launchpad.net/ubuntu-cve-tracker/tree/active/CVE-2023-0845>>
>> >> >> >>
>> >> >> >>
>> >> >> >>
>> >> >> >> --
>> >> >> >> Mailing list:
>> >> https://launchpad.net/~ubuntu-docker-images
>> >> <https://launchpad.net/~ubuntu-docker-images>
>> >> >> >> <https://launchpad.net/~ubuntu-docker-images
>> >> <https://launchpad.net/~ubuntu-docker-images>>
>> >> >> >> Post to :
>> >> ubuntu-docker-images@xxxxxxxxxxxxxxxxxxx
>> >> <mailto:ubuntu-docker-images@xxxxxxxxxxxxxxxxxxx>
>> >> >> >> <mailto:ubuntu-docker-images@xxxxxxxxxxxxxxxxxxx
>> >> <mailto:ubuntu-docker-images@xxxxxxxxxxxxxxxxxxx>>
>> >> >> >> Unsubscribe :
>> >> https://launchpad.net/~ubuntu-docker-images
>> >> <https://launchpad.net/~ubuntu-docker-images>
>> >> >> >> <https://launchpad.net/~ubuntu-docker-images
>> >> <https://launchpad.net/~ubuntu-docker-images>>
>> >> >> >> More help : https://help.launchpad.net/ListHelp
>> >> <https://help.launchpad.net/ListHelp>
>> >> >> >> <https://help.launchpad.net/ListHelp
>> >> <https://help.launchpad.net/ListHelp>>
>> >> >> >>
>> >> >> >>
>> >> >> >> --
>> >> >> >> Cris
>> >> >>
>> >> >>
>> >> >>
>> >> >> --
>> >> >> Cris
>> >>
>> >>
>> >>
>> >> --
>> >> Cris
>> > ____
>> >
>> >
>> >
>> > --
>> > Cris
>>
>
Follow ups
References
-
Fwd: [Ubuntu-docker-images] CVEs potentially affecting cortex and telegraf
From: Cristovao Cordeiro, 2023-05-30
-
Re: Fwd: [Ubuntu-docker-images] CVEs potentially affecting cortex and telegraf
From: Emilia Torino, 2023-05-30
-
Re: Fwd: [Ubuntu-docker-images] CVEs potentially affecting cortex and telegraf
From: Emilia Torino, 2023-05-30
-
Re: Fwd: [Ubuntu-docker-images] CVEs potentially affecting cortex and telegraf
From: Cristovao Cordeiro, 2023-05-31
-
Re: Fwd: [Ubuntu-docker-images] CVEs potentially affecting cortex and telegraf
From: Luca Bello, 2023-05-31
-
Re: Fwd: [Ubuntu-docker-images] CVEs potentially affecting cortex and telegraf
From: Emilia Torino, 2023-05-31
-
Re: Fwd: [Ubuntu-docker-images] CVEs potentially affecting cortex and telegraf
From: Cristovao Cordeiro, 2023-05-31
-
Re: Fwd: [Ubuntu-docker-images] CVEs potentially affecting cortex and telegraf
From: Luca Bello, 2023-06-09
-
Re: Fwd: [Ubuntu-docker-images] CVEs potentially affecting cortex and telegraf
From: Cristovao Cordeiro, 2023-06-09
-
Re: Fwd: [Ubuntu-docker-images] CVEs potentially affecting cortex and telegraf
From: Emilia Torino, 2023-06-09
-
Re: Fwd: [Ubuntu-docker-images] CVEs potentially affecting cortex and telegraf
From: Emilia Torino, 2023-06-22
-
Re: Fwd: [Ubuntu-docker-images] CVEs potentially affecting cortex and telegraf
From: Luca Bello, 2023-06-27
