Uploaded image for project: 'Couchbase Gateway'
  1. Couchbase Gateway
  2. CBG-2047

Update client-golang to 1.11.1+ CVE-2022-21698

    XMLWordPrintable

Details

    • CVE-2022-21698
    • CBG Sprint 99
    • 2

    Description

      There's a high severity security vulnerability in the client_golang library as part of the Prometheus package which can cause resource usage and a denial of service in versions prior to 1.11.1. https://nvd.nist.gov/vuln/detail/CVE-2022-21698

      According to Blackduck we use several versions in SGW 3.0.x
      1.0.0 = github.com/prometheus/client_golang:v1.0.0
      1.7.1 = godeps/src/github.com/prometheus/client_golang/
      1.8.0 = godeps/src/github.com/prometheus/client_golang/prometheus/promhttp/

      The vulnerability requires software to use specific functionality in the library. Discussing with engineering in Slack, we don't think the affected methods are used in Sync Gateway, so it is unlikely that SGW is vulnerable.

      We should look to upgrade promethus / client_golang to prevent any unforeseen issues and false positives from security scans.

      Attachments

        Activity

          People

            marks.polakovs Marks Polakovs (Inactive)
            ianmccloy Ian McCloy (Inactive)
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved:

              PagerDuty