Loading...

XML

Word

Printable

Details

Type: Improvement
Resolution: Fixed
Priority: Major
Fix Version/s: 3.1.0
Affects Version/s: 3.0
Component/s: SyncGateway
Security Level: Public
Labels:
- backport-candidate
- security

CVE ID:
CVE-2022-21698
Sprint:
CBG Sprint 99
Story Points:
2

Description

There's a high severity security vulnerability in the client_golang library as part of the Prometheus package which can cause resource usage and a denial of service in versions prior to 1.11.1. https://nvd.nist.gov/vuln/detail/CVE-2022-21698

According to Blackduck we use several versions in SGW 3.0.x
1.0.0 = github.com/prometheus/client_golang:v1.0.0
1.7.1 = godeps/src/github.com/prometheus/client_golang/
1.8.0 = godeps/src/github.com/prometheus/client_golang/prometheus/promhttp/

The vulnerability requires software to use specific functionality in the library. Discussing with engineering in Slack, we don't think the affected methods are used in Sync Gateway, so it is unlikely that SGW is vulnerable.

We should look to upgrade promethus / client_golang to prevent any unforeseen issues and false positives from security scans.

Attachments

Gerrit Reviews

- Issue Only
- Show All Reviews
- Show Open Reviews
- Show All Issues
- Show Open Issues

No reviews matched the request. Check your Options in the drop-down menu of this sections header.

Activity

People

Assignee:: Marks Polakovs (Inactive)

Reporter:: Ian McCloy (Inactive)

Votes:: 0 Vote for this issue

Watchers:: 3 Start watching this issue

Dates

Created:: 20/Apr/22 5:51 AM

Updated:: 18/Apr/23 8:21 AM

Resolved:: 13/Apr/23 4:01 PM

Gerrit Reviews

There are no open Gerrit changes

Update client-golang to 1.11.1+ CVE-2022-21698

Details

Description

Attachments

Gerrit Reviews

Activity

People

Dates

Gerrit Reviews

PagerDuty