observability team mailing list archive
-
observability team
-
Mailing list archive
-
Message #00016
Re: Fwd: [Ubuntu-docker-images] CVEs potentially affecting cortex and telegraf
Hi everyone,
here's a ping just to revive this thread.
@Emilia Torino <emilia.torino@xxxxxxxxxxxxx> you might have received some
GH notifications from me, which are related to @Luca Bello
<luca.bello@xxxxxxxxxxxxx> 's images which are now being prepared to be
published.
I'm updating the list from above with the Docker Hub repos that should be
monitored:
* Alertmanager (https://github.com/prometheus/alertmanager) ->
https://hub.docker.com/r/ubuntu/alertmanager (new)
* Grafana Agent (https://github.com/grafana/agent) ->
https://hub.docker.com/r/ubuntu/grafana-agent (new)
* Grafana (https://github.com/grafana/grafana) ->
https://hub.docker.com/r/ubuntu/grafana
* Loki (https://github.com/grafana/loki) ->
https://hub.docker.com/r/ubuntu/loki
* Mimir (https://github.com/grafana/mimir) ->
https://hub.docker.com/r/ubuntu/mimir (new)
* SeaweedFS (https://github.com/seaweedfs/seaweedfs) [1]
* Traefik (https://github.com/traefik/traefik) ->
https://hub.docker.com/r/ubuntu/traefik (new)
[1] @Luca Bello <luca.bello@xxxxxxxxxxxxx> is this one postponed?
On Mon, Jul 3, 2023 at 9:37 AM Luca Bello <luca.bello@xxxxxxxxxxxxx> wrote:
> Hi Emilia,
>
> that's great; thanks for following through!
>
>
> Cheers,
>
> Luca
> On 28/06/2023 22:18, Emilia Torino wrote:
>
> Hi Luca,
>
> On Tue, Jun 27, 2023 at 5:11 AM Luca Bello <luca.bello@xxxxxxxxxxxxx>
> wrote:
>
>> Hi Emilia,
>>
>> I did not look into it as our short-term priorities changed a little bit;
>> if you need anything else from my side please let me know!
>>
>
> I did a search over the provided sources and only found one case where we
> have the project as a deb in the archive, which is alertmanager:
> https://launchpad.net/ubuntu/+source/prometheus-alertmanager
>
> So unless you can confirm there are other debs in the archive matching the
> remaining upstream projects, alertmanager is the only one we can add to our
> CVEs monitoring service. I can add it right now.
>
> Let me know if you have any questions.
>
> Emilia
>
>>
>> Cheers,
>>
>> Luca
>> On 22/06/2023 17:37, Emilia Torino wrote:
>>
>> Hi all,
>>
>> Following up on this issue...
>>
>> On Fri, Jun 9, 2023 at 12:41 PM Emilia Torino <
>> emilia.torino@xxxxxxxxxxxxx> wrote:
>>
>>> Hi all,
>>>
>>> On 9/6/23 06:20, Cristovao Cordeiro wrote:
>>> > Sounds good to me. @Emilia Torino
>>> > <mailto:emilia.torino@xxxxxxxxxxxxx> do you need those repos to exist
>>> in
>>> > Docker Hub before you can onboard these?
>>>
>>> We don't. Since we don't scan the upstream based ROCKs (we only need
>>> this for the deb based ones).
>>>
>>> >
>>> > On Fri, Jun 9, 2023 at 10:42 AM Luca Bello <luca.bello@xxxxxxxxxxxxx
>>> > <mailto:luca.bello@xxxxxxxxxxxxx>> wrote:
>>> >
>>> > Hello everyone,
>>> >
>>> > as mentioned before, the ROCKs we have are all based on upstream
>>> > projects; the list is the following, as required:
>>> >
>>> > * Alertmanager (https://github.com/prometheus/alertmanager
>>> > <https://github.com/prometheus/alertmanager>)
>>> > * Grafana Agent (https://github.com/grafana/agent
>>> > <https://github.com/grafana/agent>)
>>> > * Grafana (https://github.com/grafana/grafana
>>> > <https://github.com/grafana/grafana>)
>>> > * Loki (https://github.com/grafana/loki
>>> > <https://github.com/grafana/loki>)
>>> > * Mimir (https://github.com/grafana/mimir
>>> > <https://github.com/grafana/mimir>)
>>> > * SeaweedFS (https://github.com/seaweedfs/seaweedfs
>>> > <https://github.com/seaweedfs/seaweedfs>)
>>> > * Traefik (https://github.com/traefik/traefik
>>> > <https://github.com/traefik/traefik>)
>>> >
>>> > Please let me know if any of these qualifies!
>>>
>>> I am not sure how urgent is this, but if you help me identify the Ubuntu
>>> source packages associated we can make this faster. Otherwise we can
>>> work on this next week.
>>>
>>
>> Did you have a chance to check this?
>>
>>
>>>
>>> >
>>> >
>>> > Cheers,
>>> >
>>> > Luca
>>> >
>>> > On 31/05/2023 18:29, Cristovao Cordeiro wrote:
>>> >>
>>> >> So the only change from our side will be to add
>>> >> prometheus to the email notification subject (or I guess we
>>> >> can just
>>> >> simple replace it with "CVEs potentially affecting upstream
>>> based
>>> >> ROCKs"). Are the email recipients the same ones for the other
>>> >> ones?
>>> >>
>>> >>
>>> >> I think that would be fine for now. I'm reluctant to use the
>>> >> mailing list as a catch-all, but I think we can re-design this
>>> >> once there is an event bus at Canonical, so we rely less on
>>> emails.
>>> >>
>>> >> As for the other 10 ROCKs, @Luca Bello
>>> >> <mailto:luca.bello@xxxxxxxxxxxxx> let's first do the right due
>>> >> diligence on those, cause if a ROCK is not meant to be under the
>>> >> "ubuntu" namespace, then this security monitoring doesn't need to
>>> >> apply.
>>> >>
>>> >> On Wed, May 31, 2023 at 3:58 PM Emilia Torino
>>> >> <emilia.torino@xxxxxxxxxxxxx <mailto:emilia.torino@xxxxxxxxxxxxx
>>> >>
>>> >> wrote:
>>> >>
>>> >>
>>> >> Hi all,
>>> >>
>>> >> On 31/5/23 04:03, Luca Bello wrote:
>>> >> > Hi everyone,
>>> >> >
>>> >> > as said in the thread already, the prometheus image is
>>> >> indeed a ROCK
>>> >> > based on the *prometheus/prometheus* repository.
>>> >>
>>> >> That's very convenient. But just to be clear again, we are not
>>> >> "inspecting" the upstream based rocks the same way we do for
>>> >> the deb
>>> >> based ones. We are only monitoring new CVEs created for
>>> >> prometheus,
>>> >> protobuf and consul. So the only change from our side will be
>>> >> to add
>>> >> prometheus to the email notification subject (or I guess we
>>> >> can just
>>> >> simple replace it with "CVEs potentially affecting upstream
>>> based
>>> >> ROCKs"). Are the email recipients the same ones for the other
>>> >> ones?
>>> >>
>>> >> >
>>> >> > We're in the process of updating all of our ROCKs in a
>>> >> similar way,
>>> >> > meaning we want to make sure we are complying with any
>>> >> guidelines you
>>> >> > might have on them.
>>> >> > We have about 10 ROCKs at the moment, mostly based on
>>> >> upstream projects
>>> >> > just like this one. Should I share the full list, so you can
>>> >> track them?
>>> >>
>>> >> I am happy to do an analysis of this list to see if we can add
>>> >> more. The
>>> >> short answer would be that if the software is packaged as a
>>> >> deb in main
>>> >> or universe (which is the situation for prometheus, protobuf
>>> >> and consul)
>>> >> then we can simply add them. This is because the service is
>>> >> based on the
>>> >> existing CVE triage work the security team does, which is
>>> >> mainly for
>>> >> debs (although now is being extended to other ecosystems
>>> >> because of SOSS
>>> >> but it is still limited and mainly supporting NVIDIA
>>> software).
>>> >>
>>> >> A simple improvement though could be to map the projects to
>>> >> the rocks so
>>> >> you dont get a general notification, but one per ROCK as the
>>> >> USNs/debs
>>> >> based service does. We can work on adding this for the next
>>> cycle.
>>> >>
>>> >> >
>>> >> >
>>> >> > Cheers,
>>> >> >
>>> >> > Luca
>>> >> >
>>> >> >
>>> >> > On 31/05/2023 08:12, Cristovao Cordeiro wrote:
>>> >> >> Thank you for the swift action, Emilia!
>>> >> >>
>>> >> >> > Does this
>>> >> >> > relate to a question being asked some hours ago in
>>> >> >> > ~Security
>>> >> >>
>>> >>
>>> https://chat.canonical.com/canonical/pl/dchhoa7wxtyiper7rbk8h43mjo <
>>> https://chat.canonical.com/canonical/pl/dchhoa7wxtyiper7rbk8h43mjo>?
>>> >> >>
>>> >> >> Yes, precisely. @Luca Bello
>>> >> <mailto:luca.bello@xxxxxxxxxxxxx
>>> >> <mailto:luca.bello@xxxxxxxxxxxxx>> is in
>>> >> >> the process of updating that image and we're re-doing our
>>> >> due diligence.
>>> >> >> Luca can confirm, but this seems to be a ROCK based
>>> >> precisely on that
>>> >> >> upstream Prometheus repository that you are already
>>> monitoring
>>> >> >>
>>> >> (
>>> https://github.com/canonical/prometheus-rock/blob/main/rockcraft.yaml#L19
>>> <
>>> https://github.com/canonical/prometheus-rock/blob/main/rockcraft.yaml#L19
>>> >).
>>> >> >>
>>> >> >> Can we then add this image to your list of tracked ROCKs?
>>> >> >>
>>> >> >>
>>> >> >> On Tue, May 30, 2023 at 9:45 PM Emilia Torino
>>> >> >> <emilia.torino@xxxxxxxxxxxxx
>>> >> <mailto:emilia.torino@xxxxxxxxxxxxx>> wrote:
>>> >> >>
>>> >> >> Hey all,
>>> >> >>
>>> >> >> On 30/5/23 13:14, Emilia Torino wrote:
>>> >> >> > Hi Cristovao,
>>> >> >> >
>>> >> >> > On 30/5/23 09:41, Cristovao Cordeiro wrote:
>>> >> >> >> Hi Emilia,
>>> >> >> >>
>>> >> >> >> could you please confirm the `prometheus` container
>>> >> image is being
>>> >> >> >> monitored?
>>> >> >> >
>>> >> >> > I don't see prometheus being monitored by our
>>> >> services (not as a
>>> >> >> rock
>>> >> >> > based on upstream source code nor as a rock based on
>>> >> debs). Does
>>> >> >> this
>>> >> >> > relate to a question being asked some hours ago in
>>> >> >> > ~Security
>>> >> >>
>>> >>
>>> https://chat.canonical.com/canonical/pl/dchhoa7wxtyiper7rbk8h43mjo <
>>> https://chat.canonical.com/canonical/pl/dchhoa7wxtyiper7rbk8h43mjo>?
>>> >> >> >
>>> >> >> >
>>> >> >> > These emails' subject only mentions cortex and
>>> >> telegraf, but
>>> >> >> >> I can see "https://github.com/prometheus/prometheus
>>> >> <https://github.com/prometheus/prometheus>
>>> >> >> >> <https://github.com/prometheus/prometheus
>>> >> <https://github.com/prometheus/prometheus>>" in the body of
>>> the
>>> >> >> email.
>>> >> >> >
>>> >> >> > Apologize for the confusion, this sounds like a bug
>>> >> in the email
>>> >> >> content
>>> >> >> > generator code. I will take a look at it later.
>>> >> >>
>>> >> >> I investigated this bug and it should be solved
>>> >> already. There was an
>>> >> >> issue in the past, but we fixed it already. I thought
>>> >> it could be
>>> >> >> related but I see this notification you are asking is
>>> >> from March.
>>> >> >> If you
>>> >> >> check the last notification sent on Thu, May 4, 2:03 AM
>>> >> is correctly
>>> >> >> reporting about a single package (cortex only).
>>> >> >>
>>> >> >> Let me know if you have any further question.
>>> >> >>
>>> >> >> In this case, only a new
>>> >> >> > CVE affecting consul has been created in our tracker
>>> >> >> >
>>> >> >>
>>> >>
>>> https://git.launchpad.net/ubuntu-cve-tracker/tree/active/CVE-2023-0845 <
>>> https://git.launchpad.net/ubuntu-cve-tracker/tree/active/CVE-2023-0845>.
>>> >> >> >
>>> >> >> > Still, this does not mean cortex and telegraf are
>>> >> affected,
>>> >> >> since this
>>> >> >> > needs triage (i.e. understand if the code/version
>>> >> present in the
>>> >> >> rocks
>>> >> >> > are indeed vulnerable).
>>> >> >> >
>>> >> >> > FYI the reason why
>>> >> https://github.com/prometheus/prometheus
>>> >> <https://github.com/prometheus/prometheus> (and
>>> >> >> also
>>> >> >> > https://github.com/gogo/protobuf
>>> >> <https://github.com/gogo/protobuf>) are listed in this
>>> email, is
>>> >> >> because
>>> >> >> > these 3 are the *only* upstream projects we are
>>> >> monitoring
>>> >> >> (because of
>>> >> >> > the bug the 3 are incorrectly listed in the email,
>>> >> only consul
>>> >> >> should
>>> >> >> > be). In other words, we are not scanning every
>>> >> upstream source
>>> >> >> project
>>> >> >> > which is used to build cortex and telegraf.
>>> >> >> >
>>> >> >> > There are reasons why this service is very limited,
>>> >> and I hope this
>>> >> >> > is/was clear. Let me know if you need more
>>> information.
>>> >> >> >
>>> >> >> > Emilia
>>> >> >> >
>>> >> >> >
>>> >> >> >>
>>> >> >> >> ---------- Forwarded message ---------
>>> >> >> >> From: <security-team-toolbox-bot@xxxxxxxxxxxxx
>>> >> <mailto:security-team-toolbox-bot@xxxxxxxxxxxxx>
>>> >> >> >> <mailto:security-team-toolbox-bot@xxxxxxxxxxxxx
>>> >> <mailto:security-team-toolbox-bot@xxxxxxxxxxxxx>>>
>>> >> >> >> Date: Sat, Mar 11, 2023 at 6:03 AM
>>> >> >> >> Subject: [Ubuntu-docker-images] CVEs potentially
>>> >> affecting
>>> >> >> cortex and
>>> >> >> >> telegraf
>>> >> >> >> To: <ubuntu-docker-images@xxxxxxxxxxxxxxxxxxx
>>> >> <mailto:ubuntu-docker-images@xxxxxxxxxxxxxxxxxxx>
>>> >> >> >> <mailto:ubuntu-docker-images@xxxxxxxxxxxxxxxxxxx
>>> >> <mailto:ubuntu-docker-images@xxxxxxxxxxxxxxxxxxx>>>,
>>> >> >> >> <sergio.durigan@xxxxxxxxxxxxx
>>> >> <mailto:sergio.durigan@xxxxxxxxxxxxx>
>>> >> >> <mailto:sergio.durigan@xxxxxxxxxxxxx
>>> >> <mailto:sergio.durigan@xxxxxxxxxxxxx>>>,
>>> >> >> >> <emilia.torino@xxxxxxxxxxxxx
>>> >> <mailto:emilia.torino@xxxxxxxxxxxxx>
>>> >> >> <mailto:emilia.torino@xxxxxxxxxxxxx
>>> >> <mailto:emilia.torino@xxxxxxxxxxxxx>>>,
>>> >> >> >> <alex.murray@xxxxxxxxxxxxx
>>> >> <mailto:alex.murray@xxxxxxxxxxxxx>
>>> >> <mailto:alex.murray@xxxxxxxxxxxxx
>>> >> <mailto:alex.murray@xxxxxxxxxxxxx>>>,
>>> >> >> >> <simon.aronsson@xxxxxxxxxxxxx
>>> >> <mailto:simon.aronsson@xxxxxxxxxxxxx>
>>> >> >> <mailto:simon.aronsson@xxxxxxxxxxxxx
>>> >> <mailto:simon.aronsson@xxxxxxxxxxxxx>>>,
>>> >> >> >> <dylan.stephano-shachter@xxxxxxxxxxxxx
>>> >> <mailto:dylan.stephano-shachter@xxxxxxxxxxxxx>
>>> >> >> >> <mailto:dylan.stephano-shachter@xxxxxxxxxxxxx
>>> >> <mailto:dylan.stephano-shachter@xxxxxxxxxxxxx>>>
>>> >> >> >>
>>> >> >> >>
>>> >> >> >> New CVEs affecting packages used to build upstream
>>> >> based rocks
>>> >> >> have been
>>> >> >> >> created in the Ubuntu CVE tracker:
>>> >> >> >>
>>> >> >> >> * https://github.com/gogo/protobuf
>>> >> <https://github.com/gogo/protobuf>
>>> >> >> <https://github.com/gogo/protobuf
>>> >> <https://github.com/gogo/protobuf>>:
>>> >> >> >> * https://github.com/hashicorp/consul
>>> >> <https://github.com/hashicorp/consul>
>>> >> >> >> <https://github.com/hashicorp/consul
>>> >> <https://github.com/hashicorp/consul>>: CVE-2023-0845
>>> >> >> >> * https://github.com/prometheus/prometheus
>>> >> <https://github.com/prometheus/prometheus>
>>> >> >> >> <https://github.com/prometheus/prometheus
>>> >> <https://github.com/prometheus/prometheus>>:
>>> >> >> >>
>>> >> >> >> Please review your rock to understand if it is
>>> >> affected by
>>> >> >> these CVEs.
>>> >> >> >>
>>> >> >> >> Thank you for your rock and for attending to this
>>> >> matter.
>>> >> >> >>
>>> >> >> >> References:
>>> >> >> >>
>>> >> >>
>>> >>
>>> https://git.launchpad.net/ubuntu-cve-tracker/tree/active/CVE-2023-0845 <
>>> https://git.launchpad.net/ubuntu-cve-tracker/tree/active/CVE-2023-0845>
>>> >> >> >>
>>> >> >>
>>> >> <
>>> https://git.launchpad.net/ubuntu-cve-tracker/tree/active/CVE-2023-0845 <
>>> https://git.launchpad.net/ubuntu-cve-tracker/tree/active/CVE-2023-0845>>
>>> >> >> >>
>>> >> >> >>
>>> >> >> >>
>>> >> >> >> --
>>> >> >> >> Mailing list:
>>> >> https://launchpad.net/~ubuntu-docker-images
>>> >> <https://launchpad.net/~ubuntu-docker-images>
>>> >> >> >> <https://launchpad.net/~ubuntu-docker-images
>>> >> <https://launchpad.net/~ubuntu-docker-images>>
>>> >> >> >> Post to :
>>> >> ubuntu-docker-images@xxxxxxxxxxxxxxxxxxx
>>> >> <mailto:ubuntu-docker-images@xxxxxxxxxxxxxxxxxxx>
>>> >> >> >> <mailto:ubuntu-docker-images@xxxxxxxxxxxxxxxxxxx
>>> >> <mailto:ubuntu-docker-images@xxxxxxxxxxxxxxxxxxx>>
>>> >> >> >> Unsubscribe :
>>> >> https://launchpad.net/~ubuntu-docker-images
>>> >> <https://launchpad.net/~ubuntu-docker-images>
>>> >> >> >> <https://launchpad.net/~ubuntu-docker-images
>>> >> <https://launchpad.net/~ubuntu-docker-images>>
>>> >> >> >> More help : https://help.launchpad.net/ListHelp
>>> >> <https://help.launchpad.net/ListHelp>
>>> >> >> >> <https://help.launchpad.net/ListHelp
>>> >> <https://help.launchpad.net/ListHelp>>
>>> >> >> >>
>>> >> >> >>
>>> >> >> >> --
>>> >> >> >> Cris
>>> >> >>
>>> >> >>
>>> >> >>
>>> >> >> --
>>> >> >> Cris
>>> >>
>>> >>
>>> >>
>>> >> --
>>> >> Cris
>>> > ____
>>> >
>>> >
>>> >
>>> > --
>>> > Cris
>>>
>>
--
Cris
Follow ups
References
-
Fwd: [Ubuntu-docker-images] CVEs potentially affecting cortex and telegraf
From: Cristovao Cordeiro, 2023-05-30
-
Re: Fwd: [Ubuntu-docker-images] CVEs potentially affecting cortex and telegraf
From: Emilia Torino, 2023-05-30
-
Re: Fwd: [Ubuntu-docker-images] CVEs potentially affecting cortex and telegraf
From: Emilia Torino, 2023-05-30
-
Re: Fwd: [Ubuntu-docker-images] CVEs potentially affecting cortex and telegraf
From: Cristovao Cordeiro, 2023-05-31
-
Re: Fwd: [Ubuntu-docker-images] CVEs potentially affecting cortex and telegraf
From: Luca Bello, 2023-05-31
-
Re: Fwd: [Ubuntu-docker-images] CVEs potentially affecting cortex and telegraf
From: Emilia Torino, 2023-05-31
-
Re: Fwd: [Ubuntu-docker-images] CVEs potentially affecting cortex and telegraf
From: Cristovao Cordeiro, 2023-05-31
-
Re: Fwd: [Ubuntu-docker-images] CVEs potentially affecting cortex and telegraf
From: Luca Bello, 2023-06-09
-
Re: Fwd: [Ubuntu-docker-images] CVEs potentially affecting cortex and telegraf
From: Cristovao Cordeiro, 2023-06-09
-
Re: Fwd: [Ubuntu-docker-images] CVEs potentially affecting cortex and telegraf
From: Emilia Torino, 2023-06-09
-
Re: Fwd: [Ubuntu-docker-images] CVEs potentially affecting cortex and telegraf
From: Emilia Torino, 2023-06-22
-
Re: Fwd: [Ubuntu-docker-images] CVEs potentially affecting cortex and telegraf
From: Luca Bello, 2023-06-27
-
Re: Fwd: [Ubuntu-docker-images] CVEs potentially affecting cortex and telegraf
From: Emilia Torino, 2023-06-28
-
Re: Fwd: [Ubuntu-docker-images] CVEs potentially affecting cortex and telegraf
From: Luca Bello, 2023-07-03
