observability team mailing list archive
-
observability team
-
Mailing list archive
-
Message #00018
Re: Fwd: [Ubuntu-docker-images] CVEs potentially affecting cortex and telegraf
Hi!
On Thu, Aug 17, 2023 at 9:53 AM Luca Bello <luca.bello@xxxxxxxxxxxxx> wrote:
> Hi everyone,
>
> that's correct, SeaweedFS is postponed :)
> On 17/08/2023 14:50, Cristovao Cordeiro wrote:
>
> Hi everyone,
>
> here's a ping just to revive this thread.
>
> @Emilia Torino <emilia.torino@xxxxxxxxxxxxx> you might have received some
> GH notifications from me, which are related to @Luca Bello
> <luca.bello@xxxxxxxxxxxxx> 's images which are now being prepared to be
> published.
>
>
Yes, I got them and I was also going to ping you all since from our last
discussion I said:
"I did a search over the provided sources and only found one case where we
have the project as a deb in the archive, which is alertmanager:
https://launchpad.net/ubuntu/+source/prometheus-alertmanager.
So unless you can confirm there are other debs in the archive matching the
remaining upstream projects, alertmanager is the only one we can add to our
CVEs monitoring service. I can add it right now."
> I'm updating the list from above with the Docker Hub repos that should be
> monitored:
>
> * Alertmanager (https://github.com/prometheus/alertmanager) ->
> https://hub.docker.com/r/ubuntu/alertmanager (new)
> * Grafana Agent (https://github.com/grafana/agent) ->
> https://hub.docker.com/r/ubuntu/grafana-agent (new)
> * Grafana (https://github.com/grafana/grafana) ->
> https://hub.docker.com/r/ubuntu/grafana
> * Loki (https://github.com/grafana/loki) ->
> https://hub.docker.com/r/ubuntu/loki
> * Mimir (https://github.com/grafana/mimir) ->
> https://hub.docker.com/r/ubuntu/mimir (new)
> * SeaweedFS (https://github.com/seaweedfs/seaweedfs) [1]
> * Traefik (https://github.com/traefik/traefik) ->
> https://hub.docker.com/r/ubuntu/traefik (new)
>
> So unfortunately, all others can't be monitored with the existing
solution.
> [1] @Luca Bello <luca.bello@xxxxxxxxxxxxx> is this one postponed?
>
> On Mon, Jul 3, 2023 at 9:37 AM Luca Bello <luca.bello@xxxxxxxxxxxxx>
> wrote:
>
>> Hi Emilia,
>>
>> that's great; thanks for following through!
>>
>>
>> Cheers,
>>
>> Luca
>> On 28/06/2023 22:18, Emilia Torino wrote:
>>
>> Hi Luca,
>>
>> On Tue, Jun 27, 2023 at 5:11 AM Luca Bello <luca.bello@xxxxxxxxxxxxx>
>> wrote:
>>
>>> Hi Emilia,
>>>
>>> I did not look into it as our short-term priorities changed a little
>>> bit; if you need anything else from my side please let me know!
>>>
>>
>> I did a search over the provided sources and only found one case where we
>> have the project as a deb in the archive, which is alertmanager:
>> https://launchpad.net/ubuntu/+source/prometheus-alertmanager
>>
>> So unless you can confirm there are other debs in the archive matching
>> the remaining upstream projects, alertmanager is the only one we can add to
>> our CVEs monitoring service. I can add it right now.
>>
>> Let me know if you have any questions.
>>
>> Emilia
>>
>>>
>>> Cheers,
>>>
>>> Luca
>>> On 22/06/2023 17:37, Emilia Torino wrote:
>>>
>>> Hi all,
>>>
>>> Following up on this issue...
>>>
>>> On Fri, Jun 9, 2023 at 12:41 PM Emilia Torino <
>>> emilia.torino@xxxxxxxxxxxxx> wrote:
>>>
>>>> Hi all,
>>>>
>>>> On 9/6/23 06:20, Cristovao Cordeiro wrote:
>>>> > Sounds good to me. @Emilia Torino
>>>> > <mailto:emilia.torino@xxxxxxxxxxxxx> do you need those repos to
>>>> exist in
>>>> > Docker Hub before you can onboard these?
>>>>
>>>> We don't. Since we don't scan the upstream based ROCKs (we only need
>>>> this for the deb based ones).
>>>>
>>>> >
>>>> > On Fri, Jun 9, 2023 at 10:42 AM Luca Bello <luca.bello@xxxxxxxxxxxxx
>>>> > <mailto:luca.bello@xxxxxxxxxxxxx>> wrote:
>>>> >
>>>> > Hello everyone,
>>>> >
>>>> > as mentioned before, the ROCKs we have are all based on upstream
>>>> > projects; the list is the following, as required:
>>>> >
>>>> > * Alertmanager (https://github.com/prometheus/alertmanager
>>>> > <https://github.com/prometheus/alertmanager>)
>>>> > * Grafana Agent (https://github.com/grafana/agent
>>>> > <https://github.com/grafana/agent>)
>>>> > * Grafana (https://github.com/grafana/grafana
>>>> > <https://github.com/grafana/grafana>)
>>>> > * Loki (https://github.com/grafana/loki
>>>> > <https://github.com/grafana/loki>)
>>>> > * Mimir (https://github.com/grafana/mimir
>>>> > <https://github.com/grafana/mimir>)
>>>> > * SeaweedFS (https://github.com/seaweedfs/seaweedfs
>>>> > <https://github.com/seaweedfs/seaweedfs>)
>>>> > * Traefik (https://github.com/traefik/traefik
>>>> > <https://github.com/traefik/traefik>)
>>>> >
>>>> > Please let me know if any of these qualifies!
>>>>
>>>> I am not sure how urgent is this, but if you help me identify the
>>>> Ubuntu
>>>> source packages associated we can make this faster. Otherwise we can
>>>> work on this next week.
>>>>
>>>
>>> Did you have a chance to check this?
>>>
>>>
>>>>
>>>> >
>>>> >
>>>> > Cheers,
>>>> >
>>>> > Luca
>>>> >
>>>> > On 31/05/2023 18:29, Cristovao Cordeiro wrote:
>>>> >>
>>>> >> So the only change from our side will be to add
>>>> >> prometheus to the email notification subject (or I guess we
>>>> >> can just
>>>> >> simple replace it with "CVEs potentially affecting upstream
>>>> based
>>>> >> ROCKs"). Are the email recipients the same ones for the other
>>>> >> ones?
>>>> >>
>>>> >>
>>>> >> I think that would be fine for now. I'm reluctant to use the
>>>> >> mailing list as a catch-all, but I think we can re-design this
>>>> >> once there is an event bus at Canonical, so we rely less on
>>>> emails.
>>>> >>
>>>> >> As for the other 10 ROCKs, @Luca Bello
>>>> >> <mailto:luca.bello@xxxxxxxxxxxxx> let's first do the right due
>>>> >> diligence on those, cause if a ROCK is not meant to be under the
>>>> >> "ubuntu" namespace, then this security monitoring doesn't need to
>>>> >> apply.
>>>> >>
>>>> >> On Wed, May 31, 2023 at 3:58 PM Emilia Torino
>>>> >> <emilia.torino@xxxxxxxxxxxxx <mailto:emilia.torino@xxxxxxxxxxxxx
>>>> >>
>>>> >> wrote:
>>>> >>
>>>> >>
>>>> >> Hi all,
>>>> >>
>>>> >> On 31/5/23 04:03, Luca Bello wrote:
>>>> >> > Hi everyone,
>>>> >> >
>>>> >> > as said in the thread already, the prometheus image is
>>>> >> indeed a ROCK
>>>> >> > based on the *prometheus/prometheus* repository.
>>>> >>
>>>> >> That's very convenient. But just to be clear again, we are
>>>> not
>>>> >> "inspecting" the upstream based rocks the same way we do for
>>>> >> the deb
>>>> >> based ones. We are only monitoring new CVEs created for
>>>> >> prometheus,
>>>> >> protobuf and consul. So the only change from our side will be
>>>> >> to add
>>>> >> prometheus to the email notification subject (or I guess we
>>>> >> can just
>>>> >> simple replace it with "CVEs potentially affecting upstream
>>>> based
>>>> >> ROCKs"). Are the email recipients the same ones for the other
>>>> >> ones?
>>>> >>
>>>> >> >
>>>> >> > We're in the process of updating all of our ROCKs in a
>>>> >> similar way,
>>>> >> > meaning we want to make sure we are complying with any
>>>> >> guidelines you
>>>> >> > might have on them.
>>>> >> > We have about 10 ROCKs at the moment, mostly based on
>>>> >> upstream projects
>>>> >> > just like this one. Should I share the full list, so you
>>>> can
>>>> >> track them?
>>>> >>
>>>> >> I am happy to do an analysis of this list to see if we can
>>>> add
>>>> >> more. The
>>>> >> short answer would be that if the software is packaged as a
>>>> >> deb in main
>>>> >> or universe (which is the situation for prometheus, protobuf
>>>> >> and consul)
>>>> >> then we can simply add them. This is because the service is
>>>> >> based on the
>>>> >> existing CVE triage work the security team does, which is
>>>> >> mainly for
>>>> >> debs (although now is being extended to other ecosystems
>>>> >> because of SOSS
>>>> >> but it is still limited and mainly supporting NVIDIA
>>>> software).
>>>> >>
>>>> >> A simple improvement though could be to map the projects to
>>>> >> the rocks so
>>>> >> you dont get a general notification, but one per ROCK as the
>>>> >> USNs/debs
>>>> >> based service does. We can work on adding this for the next
>>>> cycle.
>>>> >>
>>>> >> >
>>>> >> >
>>>> >> > Cheers,
>>>> >> >
>>>> >> > Luca
>>>> >> >
>>>> >> >
>>>> >> > On 31/05/2023 08:12, Cristovao Cordeiro wrote:
>>>> >> >> Thank you for the swift action, Emilia!
>>>> >> >>
>>>> >> >> > Does this
>>>> >> >> > relate to a question being asked some hours ago in
>>>> >> >> > ~Security
>>>> >> >>
>>>> >>
>>>> https://chat.canonical.com/canonical/pl/dchhoa7wxtyiper7rbk8h43mjo <
>>>> https://chat.canonical.com/canonical/pl/dchhoa7wxtyiper7rbk8h43mjo>?
>>>> >> >>
>>>> >> >> Yes, precisely. @Luca Bello
>>>> >> <mailto:luca.bello@xxxxxxxxxxxxx
>>>> >> <mailto:luca.bello@xxxxxxxxxxxxx>> is in
>>>> >> >> the process of updating that image and we're re-doing our
>>>> >> due diligence.
>>>> >> >> Luca can confirm, but this seems to be a ROCK based
>>>> >> precisely on that
>>>> >> >> upstream Prometheus repository that you are already
>>>> monitoring
>>>> >> >>
>>>> >> (
>>>> https://github.com/canonical/prometheus-rock/blob/main/rockcraft.yaml#L19
>>>> <
>>>> https://github.com/canonical/prometheus-rock/blob/main/rockcraft.yaml#L19
>>>> >).
>>>> >> >>
>>>> >> >> Can we then add this image to your list of tracked ROCKs?
>>>> >> >>
>>>> >> >>
>>>> >> >> On Tue, May 30, 2023 at 9:45 PM Emilia Torino
>>>> >> >> <emilia.torino@xxxxxxxxxxxxx
>>>> >> <mailto:emilia.torino@xxxxxxxxxxxxx>> wrote:
>>>> >> >>
>>>> >> >> Hey all,
>>>> >> >>
>>>> >> >> On 30/5/23 13:14, Emilia Torino wrote:
>>>> >> >> > Hi Cristovao,
>>>> >> >> >
>>>> >> >> > On 30/5/23 09:41, Cristovao Cordeiro wrote:
>>>> >> >> >> Hi Emilia,
>>>> >> >> >>
>>>> >> >> >> could you please confirm the `prometheus` container
>>>> >> image is being
>>>> >> >> >> monitored?
>>>> >> >> >
>>>> >> >> > I don't see prometheus being monitored by our
>>>> >> services (not as a
>>>> >> >> rock
>>>> >> >> > based on upstream source code nor as a rock based on
>>>> >> debs). Does
>>>> >> >> this
>>>> >> >> > relate to a question being asked some hours ago in
>>>> >> >> > ~Security
>>>> >> >>
>>>> >>
>>>> https://chat.canonical.com/canonical/pl/dchhoa7wxtyiper7rbk8h43mjo <
>>>> https://chat.canonical.com/canonical/pl/dchhoa7wxtyiper7rbk8h43mjo>?
>>>> >> >> >
>>>> >> >> >
>>>> >> >> > These emails' subject only mentions cortex and
>>>> >> telegraf, but
>>>> >> >> >> I can see "
>>>> https://github.com/prometheus/prometheus
>>>> >> <https://github.com/prometheus/prometheus>
>>>> >> >> >> <https://github.com/prometheus/prometheus
>>>> >> <https://github.com/prometheus/prometheus>>" in the body of
>>>> the
>>>> >> >> email.
>>>> >> >> >
>>>> >> >> > Apologize for the confusion, this sounds like a bug
>>>> >> in the email
>>>> >> >> content
>>>> >> >> > generator code. I will take a look at it later.
>>>> >> >>
>>>> >> >> I investigated this bug and it should be solved
>>>> >> already. There was an
>>>> >> >> issue in the past, but we fixed it already. I thought
>>>> >> it could be
>>>> >> >> related but I see this notification you are asking is
>>>> >> from March.
>>>> >> >> If you
>>>> >> >> check the last notification sent on Thu, May 4,
>>>> 2:03 AM
>>>> >> is correctly
>>>> >> >> reporting about a single package (cortex only).
>>>> >> >>
>>>> >> >> Let me know if you have any further question.
>>>> >> >>
>>>> >> >> In this case, only a new
>>>> >> >> > CVE affecting consul has been created in our tracker
>>>> >> >> >
>>>> >> >>
>>>> >>
>>>> https://git.launchpad.net/ubuntu-cve-tracker/tree/active/CVE-2023-0845
>>>> <https://git.launchpad.net/ubuntu-cve-tracker/tree/active/CVE-2023-0845
>>>> >.
>>>> >> >> >
>>>> >> >> > Still, this does not mean cortex and telegraf are
>>>> >> affected,
>>>> >> >> since this
>>>> >> >> > needs triage (i.e. understand if the code/version
>>>> >> present in the
>>>> >> >> rocks
>>>> >> >> > are indeed vulnerable).
>>>> >> >> >
>>>> >> >> > FYI the reason why
>>>> >> https://github.com/prometheus/prometheus
>>>> >> <https://github.com/prometheus/prometheus> (and
>>>> >> >> also
>>>> >> >> > https://github.com/gogo/protobuf
>>>> >> <https://github.com/gogo/protobuf>) are listed in this
>>>> email, is
>>>> >> >> because
>>>> >> >> > these 3 are the *only* upstream projects we are
>>>> >> monitoring
>>>> >> >> (because of
>>>> >> >> > the bug the 3 are incorrectly listed in the email,
>>>> >> only consul
>>>> >> >> should
>>>> >> >> > be). In other words, we are not scanning every
>>>> >> upstream source
>>>> >> >> project
>>>> >> >> > which is used to build cortex and telegraf.
>>>> >> >> >
>>>> >> >> > There are reasons why this service is very limited,
>>>> >> and I hope this
>>>> >> >> > is/was clear. Let me know if you need more
>>>> information.
>>>> >> >> >
>>>> >> >> > Emilia
>>>> >> >> >
>>>> >> >> >
>>>> >> >> >>
>>>> >> >> >> ---------- Forwarded message ---------
>>>> >> >> >> From: <security-team-toolbox-bot@xxxxxxxxxxxxx
>>>> >> <mailto:security-team-toolbox-bot@xxxxxxxxxxxxx>
>>>> >> >> >> <mailto:security-team-toolbox-bot@xxxxxxxxxxxxx
>>>> >> <mailto:security-team-toolbox-bot@xxxxxxxxxxxxx>>>
>>>> >> >> >> Date: Sat, Mar 11, 2023 at 6:03 AM
>>>> >> >> >> Subject: [Ubuntu-docker-images] CVEs potentially
>>>> >> affecting
>>>> >> >> cortex and
>>>> >> >> >> telegraf
>>>> >> >> >> To: <ubuntu-docker-images@xxxxxxxxxxxxxxxxxxx
>>>> >> <mailto:ubuntu-docker-images@xxxxxxxxxxxxxxxxxxx>
>>>> >> >> >> <mailto:ubuntu-docker-images@xxxxxxxxxxxxxxxxxxx
>>>> >> <mailto:ubuntu-docker-images@xxxxxxxxxxxxxxxxxxx>>>,
>>>> >> >> >> <sergio.durigan@xxxxxxxxxxxxx
>>>> >> <mailto:sergio.durigan@xxxxxxxxxxxxx>
>>>> >> >> <mailto:sergio.durigan@xxxxxxxxxxxxx
>>>> >> <mailto:sergio.durigan@xxxxxxxxxxxxx>>>,
>>>> >> >> >> <emilia.torino@xxxxxxxxxxxxx
>>>> >> <mailto:emilia.torino@xxxxxxxxxxxxx>
>>>> >> >> <mailto:emilia.torino@xxxxxxxxxxxxx
>>>> >> <mailto:emilia.torino@xxxxxxxxxxxxx>>>,
>>>> >> >> >> <alex.murray@xxxxxxxxxxxxx
>>>> >> <mailto:alex.murray@xxxxxxxxxxxxx>
>>>> >> <mailto:alex.murray@xxxxxxxxxxxxx
>>>> >> <mailto:alex.murray@xxxxxxxxxxxxx>>>,
>>>> >> >> >> <simon.aronsson@xxxxxxxxxxxxx
>>>> >> <mailto:simon.aronsson@xxxxxxxxxxxxx>
>>>> >> >> <mailto:simon.aronsson@xxxxxxxxxxxxx
>>>> >> <mailto:simon.aronsson@xxxxxxxxxxxxx>>>,
>>>> >> >> >> <dylan.stephano-shachter@xxxxxxxxxxxxx
>>>> >> <mailto:dylan.stephano-shachter@xxxxxxxxxxxxx>
>>>> >> >> >> <mailto:dylan.stephano-shachter@xxxxxxxxxxxxx
>>>> >> <mailto:dylan.stephano-shachter@xxxxxxxxxxxxx>>>
>>>> >> >> >>
>>>> >> >> >>
>>>> >> >> >> New CVEs affecting packages used to build upstream
>>>> >> based rocks
>>>> >> >> have been
>>>> >> >> >> created in the Ubuntu CVE tracker:
>>>> >> >> >>
>>>> >> >> >> * https://github.com/gogo/protobuf
>>>> >> <https://github.com/gogo/protobuf>
>>>> >> >> <https://github.com/gogo/protobuf
>>>> >> <https://github.com/gogo/protobuf>>:
>>>> >> >> >> * https://github.com/hashicorp/consul
>>>> >> <https://github.com/hashicorp/consul>
>>>> >> >> >> <https://github.com/hashicorp/consul
>>>> >> <https://github.com/hashicorp/consul>>: CVE-2023-0845
>>>> >> >> >> * https://github.com/prometheus/prometheus
>>>> >> <https://github.com/prometheus/prometheus>
>>>> >> >> >> <https://github.com/prometheus/prometheus
>>>> >> <https://github.com/prometheus/prometheus>>:
>>>> >> >> >>
>>>> >> >> >> Please review your rock to understand if it is
>>>> >> affected by
>>>> >> >> these CVEs.
>>>> >> >> >>
>>>> >> >> >> Thank you for your rock and for attending to this
>>>> >> matter.
>>>> >> >> >>
>>>> >> >> >> References:
>>>> >> >> >>
>>>> >> >>
>>>> >>
>>>> https://git.launchpad.net/ubuntu-cve-tracker/tree/active/CVE-2023-0845
>>>> <https://git.launchpad.net/ubuntu-cve-tracker/tree/active/CVE-2023-0845
>>>> >
>>>> >> >> >>
>>>> >> >>
>>>> >> <
>>>> https://git.launchpad.net/ubuntu-cve-tracker/tree/active/CVE-2023-0845
>>>> <https://git.launchpad.net/ubuntu-cve-tracker/tree/active/CVE-2023-0845
>>>> >>
>>>> >> >> >>
>>>> >> >> >>
>>>> >> >> >>
>>>> >> >> >> --
>>>> >> >> >> Mailing list:
>>>> >> https://launchpad.net/~ubuntu-docker-images
>>>> >> <https://launchpad.net/~ubuntu-docker-images>
>>>> >> >> >> <https://launchpad.net/~ubuntu-docker-images
>>>> >> <https://launchpad.net/~ubuntu-docker-images>>
>>>> >> >> >> Post to :
>>>> >> ubuntu-docker-images@xxxxxxxxxxxxxxxxxxx
>>>> >> <mailto:ubuntu-docker-images@xxxxxxxxxxxxxxxxxxx>
>>>> >> >> >> <mailto:ubuntu-docker-images@xxxxxxxxxxxxxxxxxxx
>>>> >> <mailto:ubuntu-docker-images@xxxxxxxxxxxxxxxxxxx>>
>>>> >> >> >> Unsubscribe :
>>>> >> https://launchpad.net/~ubuntu-docker-images
>>>> >> <https://launchpad.net/~ubuntu-docker-images>
>>>> >> >> >> <https://launchpad.net/~ubuntu-docker-images
>>>> >> <https://launchpad.net/~ubuntu-docker-images>>
>>>> >> >> >> More help : https://help.launchpad.net/ListHelp
>>>> >> <https://help.launchpad.net/ListHelp>
>>>> >> >> >> <https://help.launchpad.net/ListHelp
>>>> >> <https://help.launchpad.net/ListHelp>>
>>>> >> >> >>
>>>> >> >> >>
>>>> >> >> >> --
>>>> >> >> >> Cris
>>>> >> >>
>>>> >> >>
>>>> >> >>
>>>> >> >> --
>>>> >> >> Cris
>>>> >>
>>>> >>
>>>> >>
>>>> >> --
>>>> >> Cris
>>>> > ____
>>>> >
>>>> >
>>>> >
>>>> > --
>>>> > Cris
>>>>
>>>
>
> --
> Cris
>
>
Follow ups
References
-
Fwd: [Ubuntu-docker-images] CVEs potentially affecting cortex and telegraf
From: Cristovao Cordeiro, 2023-05-30
-
Re: Fwd: [Ubuntu-docker-images] CVEs potentially affecting cortex and telegraf
From: Emilia Torino, 2023-05-30
-
Re: Fwd: [Ubuntu-docker-images] CVEs potentially affecting cortex and telegraf
From: Emilia Torino, 2023-05-30
-
Re: Fwd: [Ubuntu-docker-images] CVEs potentially affecting cortex and telegraf
From: Cristovao Cordeiro, 2023-05-31
-
Re: Fwd: [Ubuntu-docker-images] CVEs potentially affecting cortex and telegraf
From: Luca Bello, 2023-05-31
-
Re: Fwd: [Ubuntu-docker-images] CVEs potentially affecting cortex and telegraf
From: Emilia Torino, 2023-05-31
-
Re: Fwd: [Ubuntu-docker-images] CVEs potentially affecting cortex and telegraf
From: Cristovao Cordeiro, 2023-05-31
-
Re: Fwd: [Ubuntu-docker-images] CVEs potentially affecting cortex and telegraf
From: Luca Bello, 2023-06-09
-
Re: Fwd: [Ubuntu-docker-images] CVEs potentially affecting cortex and telegraf
From: Cristovao Cordeiro, 2023-06-09
-
Re: Fwd: [Ubuntu-docker-images] CVEs potentially affecting cortex and telegraf
From: Emilia Torino, 2023-06-09
-
Re: Fwd: [Ubuntu-docker-images] CVEs potentially affecting cortex and telegraf
From: Emilia Torino, 2023-06-22
-
Re: Fwd: [Ubuntu-docker-images] CVEs potentially affecting cortex and telegraf
From: Luca Bello, 2023-06-27
-
Re: Fwd: [Ubuntu-docker-images] CVEs potentially affecting cortex and telegraf
From: Emilia Torino, 2023-06-28
-
Re: Fwd: [Ubuntu-docker-images] CVEs potentially affecting cortex and telegraf
From: Luca Bello, 2023-07-03
-
Re: Fwd: [Ubuntu-docker-images] CVEs potentially affecting cortex and telegraf
From: Cristovao Cordeiro, 2023-08-17
-
Re: Fwd: [Ubuntu-docker-images] CVEs potentially affecting cortex and telegraf
From: Luca Bello, 2023-08-17
