or later. If you are using 1.11.0 or 1.11.1, you must upgrade to 1.11.2 or later. client_golang version 1.11.2 contains a patch for this issue. If you are using 1.11.0 or 1.11.1, you must upgrade to 1.11.2 or later. What is the status of Prometheus support for Go HTTP servers? Go's HTTP servers have not been fully instrumented; however, client_golang provides a useful subset of middleware capable of providing useful information about your application's performance. How can I protect my end users against this vulnerability? Users can upgrade to the latest version of client_golang. Users can restrict the use of middleware by only allowing the use of specific middleware. Users can filter unknown methods to prevent requests from being routed to the HTTP server. Users can block access to the HTTP server by adding a firewall rule or proxy configuration.

References

"CVE-2022-21698"
https://github.com/client_golang/client_golang/issues/21698

How can I get more information about Prometheus support for Go HTTP servers? https://golang.org/s/prometheus

New Features and Improvements in Prometheus Client

Prometheus client 1.11.2 includes several important security and stability improvements, including a fix for CVE-2022-21698, or later. If you are using 1.11.0 or 1.11.1, you must upgrade to 1.11.2 or later. What is the status of Prometheus support for Go HTTP servers? Go's HTTP servers have not been fully instrumented; however, client_golang provides a useful subset of middleware capable of providing useful information about your application's performance. How can I protect my end users against this vulnerability? Users can upgrade to the latest version of client_golang. Users can restrict the use of middleware by only allowing the use of specific middleware. Users can filter unknown methods to prevent requests from being routed to the HTTP server. Users can block access to the HTTP server by adding a firewall rule or proxy configuration.

How can I protect my end users against this vulnerability?

The vulnerability is present in the HTTP handler for the "Unsafe HTTP Handler" middleware. If a user has this middleware enabled, they may be vulnerable to remote code execution.
To protect users, you should upgrade to the latest version of client_golang. Additionally, users can restrict the use of middleware by only allowing the use of specific middleware. Users can filter unknown methods to prevent requests from being routed to the HTTP server. Lastly, users can block access to the HTTP server by adding a firewall rule or proxy configuration

Timeline

Published on: 02/15/2022 16:15:00 UTC
Last modified on: 07/04/2022 04:15:00 UTC

References