ubuntu-docker-images team mailing list archive

Thread
Date

Re: CVEs potentially affecting cortex and telegraf

To: ubuntu-docker-images@xxxxxxxxxxxxxxxxxxx, emilia.torino@xxxxxxxxxxxxx, alex.murray@xxxxxxxxxxxxx, Athos Ribeiro <athos.ribeiro@xxxxxxxxxxxxx>
From: Sergio Durigan Junior <sergio.durigan@xxxxxxxxxxxxx>
Date: Tue, 22 Mar 2022 14:28:41 -0400
In-reply-to: <20220322050150.0749E14241D@keule.canonical.com> (security-team-toolbox-bot@canonical.com's message of "Tue, 22 Mar 2022 05:01:49 +0000 (UTC)")
User-agent: Gnus/5.13 (Gnus v5.13) Emacs/26.3 (gnu/linux)

On Tuesday, March 22 2022, security-team-toolbox-bot@xxxxxxxxxxxxx wrote:

> New CVEs affecting packages used to build upstream based rocks have been
> created in the Ubuntu CVE tracker:
>
> * https://github.com/gogo/protobuf:
> * https://github.com/hashicorp/consul: CVE-2022-24687
> * https://github.com/prometheus/prometheus:
>
> Please review your rock to understand if it is affected by these CVEs.

I've investigated these packages and found that:

- Telegraf isn't affected on Jammy, because it uses consul 1.12.0 which
  already has a fix for the CVE.  Since the 22.04 ROCK image will be
  based on this package, we're covered.

- Cortex seems to be affected, even upstream's git HEAD.  I filed
  https://github.com/cortexproject/cortex/issues/4682.  I'm not 100%
  sure whether the specific consul feature that is affected by the CVE
  (Ingress Gateway) is used by cortex or not.  I will wait on upstream's
  answer to decide which action to take here.

Thanks,

-- 
Sergio
GPG key ID: E92F D0B3 6B14 F1F4 D8E0  EB2F 106D A1C8 C3CB BF14

References

CVEs potentially affecting cortex and telegraf
From: security-team-toolbox-bot, 2022-03-22