Bugzilla – Bug 1186242
VUL-0: CVE-2021-29622: golang-github-prometheus-prometheus: Open Redirect security issue
Last modified: 2021-12-03 15:02:00 UTC
CVE-2021-29622 Prometheus 2.26.1-2.27.1 released to fix an Open Redirect security issue From: Julien Pivotto Date: Wed, 19 May 2021 10:08:13 +0200 Hello, The Prometheus team has released bugfix releases about an Open Redirect (CWE-601) security issue. The issue has been assigned the CVE number CVE-2021-29622. --- In 2.23.0, Prometheus changed its default UI to the New ui. To ensure a seamless transition, the URL's prefixed by /new redirect to /. Due to a bug in the code, it is possible for an attacker to craft an URL that can redirect to any other URL, in the /new endpoint. If a user visits a prometheus server with a specially crafted address (e.g.: http://127.0.0.1:9090/new/new), they can be redirected to an arbitrary URL. e.g. if a user visits http://127.0.0.1:9090/new/newhttp://www.google.com/, they will be redirected to http://google.com. --- The security issue affects Prometheus v2.23.0 to v2.26.0, and v2.27.0. Please find more information here: https://github.com/prometheus/prometheus/security/advisories/GHSA-vx57-7f4q-fpc7 The Prometheus team thanks Aaron Devaney from MDSec for reporting this issue. Timeline: May 12, 2021: Issue reported privately to Prometheus team May 12, 2021: A fix is proposed and reviewed May 13, 2021: CVE-2021-29622 issued by GitHub staff May 18, 2021: Bugfix released for the last two minor releases of Prometheus. The releases can be found in the usual locations: v2.26.1: https://github.com/prometheus/prometheus/releases/tag/v2.26.1 v2.27.1: https://github.com/prometheus/prometheus/releases/tag/v2.27.1 Thanks, The Prometheus Team Attachment: signature.asc Description: By Date By Thread Current thread: Prometheus 2.26.1-2.27.1 released to fix an Open Redirect security issue Julien Pivotto (May 19) References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-29622 http://seclists.org/oss-sec/2021/q2/156 https://github.com/prometheus/prometheus/security/advisories/GHSA-vx57-7f4q-fpc7
all SLE versions do not seem affected, only relevant for Factory
Request to server:monitoring submitted https://build.opensuse.org/request/show/894670
New Prometheus package providing version 27.1 accepted in openSUSE Tumbleweed.
Updated package golang-github-prometheus-prometheus won't install on the master node (SLES 15 SP1 system) of a SES 6 cluster: master:~ # zypper in golang-github-prometheus-prometheus Loading repository data... Reading installed packages... Resolving package dependencies... Problem: nothing provides group(prometheus) needed by golang-github-prometheus-prometheus-2.27.1-3.8.1.x86_64 Solution 1: do not install golang-github-prometheus-prometheus-2.27.1-3.8.1.x86_64 Solution 2: break golang-github-prometheus-prometheus-2.27.1-3.8.1.x86_64 by ignoring some of its dependencies Choose from above solutions by number or cancel [1/2/c/d/?] (c): c
You (or someone from SES) will need to talk to maintenance so they add the missing package to the SES channels.
The missing package is `system-user-prometheus`. https://build.suse.de/package/show/SUSE:SLE-15:Update/system-user-prometheus
SUSE-SU-2021:2673-1: An update that fixes 5 vulnerabilities, contains one feature is now available. Category: security (moderate) Bug References: 1175478,1186242,1186508,1186581,1186650 CVE References: CVE-2021-27962,CVE-2021-28146,CVE-2021-28147,CVE-2021-28148,CVE-2021-29622 JIRA References: SLE-18254 Sources used: SUSE Manager Tools 12 (src): golang-github-prometheus-prometheus-2.27.1-1.29.2, grafana-7.5.7-1.21.2, mgr-cfg-4.2.3-1.18.2, mgr-custom-info-4.2.2-1.12.2, mgr-osad-4.2.6-1.30.2, mgr-push-4.2.3-1.12.2, mgr-virtualization-4.2.2-1.20.2, rhnlib-4.2.4-21.34.2, spacecmd-4.2.11-38.85.2, spacewalk-client-tools-4.2.12-52.53.2, spacewalk-koan-4.2.4-24.24.2, spacewalk-oscap-4.2.2-19.18.2, suseRegisterInfo-4.2.4-25.18.2, uyuni-common-libs-4.2.5-1.15.2 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2021:2675-1: An update that solves 5 vulnerabilities, contains one feature and has one errata is now available. Category: security (moderate) Bug References: 1175478,1186242,1186508,1186581,1186650,1188846 CVE References: CVE-2021-27962,CVE-2021-28146,CVE-2021-28147,CVE-2021-28148,CVE-2021-29622 JIRA References: SLE-18254 Sources used: SUSE Manager Tools 15 (src): ansible-2.9.21-1.5.1, dracut-saltboot-0.1.1627546504.96a0b3e-1.27.1, golang-github-prometheus-prometheus-2.27.1-3.31.1, mgr-cfg-4.2.3-1.18.1, mgr-custom-info-4.2.2-1.12.1, mgr-osad-4.2.6-1.30.1, mgr-push-4.2.3-1.12.1, mgr-virtualization-4.2.2-1.20.1, rhnlib-4.2.4-3.28.1, spacecmd-4.2.11-3.62.1, spacewalk-client-tools-4.2.12-3.44.1, spacewalk-koan-4.2.4-3.21.1, spacewalk-oscap-4.2.2-3.12.1, suseRegisterInfo-4.2.4-3.15.1, uyuni-common-libs-4.2.5-1.15.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2021:2664-1: An update that fixes one vulnerability, contains one feature is now available. Category: security (moderate) Bug References: 1186242 CVE References: CVE-2021-29622 JIRA References: SLE-18254 Sources used: SUSE Enterprise Storage 6 (src): golang-github-prometheus-prometheus-2.27.1-3.8.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
openSUSE-SU-2021:2664-1: An update that fixes one vulnerability, contains one feature is now available. Category: security (moderate) Bug References: 1186242 CVE References: CVE-2021-29622 JIRA References: SLE-18254 Sources used: openSUSE Leap 15.3 (src): golang-github-prometheus-prometheus-2.27.1-3.8.1
openSUSE-SU-2021:2675-1: An update that solves 5 vulnerabilities, contains one feature and has one errata is now available. Category: security (moderate) Bug References: 1175478,1186242,1186508,1186581,1186650,1188846 CVE References: CVE-2021-27962,CVE-2021-28146,CVE-2021-28147,CVE-2021-28148,CVE-2021-29622 JIRA References: SLE-18254 Sources used: openSUSE Leap 15.3 (src): ansible-2.9.21-1.5.1, dracut-saltboot-0.1.1627546504.96a0b3e-1.27.1, mgr-cfg-4.2.3-1.18.1, mgr-custom-info-4.2.2-1.12.1, mgr-osad-4.2.6-1.30.1, mgr-push-4.2.3-1.12.1, mgr-virtualization-4.2.2-1.20.1, rhnlib-4.2.4-3.28.1, spacecmd-4.2.11-3.62.1, spacewalk-client-tools-4.2.12-3.44.1, spacewalk-koan-4.2.4-3.21.1, spacewalk-oscap-4.2.2-3.12.1, suseRegisterInfo-4.2.4-3.15.1, uyuni-common-libs-4.2.5-1.15.1
all released, closing
openSUSE-SU-2021:1162-1: An update that solves 5 vulnerabilities, contains one feature and has one errata is now available. Category: security (moderate) Bug References: 1175478,1186242,1186508,1186581,1186650,1188846 CVE References: CVE-2021-27962,CVE-2021-28146,CVE-2021-28147,CVE-2021-28148,CVE-2021-29622 JIRA References: SLE-18254 Sources used: openSUSE Leap 15.2 (src): ansible-2.9.21-lp152.2.7.1, dracut-saltboot-0.1.1627546504.96a0b3e-lp152.2.26.1, golang-github-prometheus-prometheus-2.27.1-lp152.3.13.1
SUSE-SU-2021:3907-1: An update that solves 5 vulnerabilities, contains one feature and has 5 fixes is now available. Category: security (moderate) Bug References: 1175478,1181223,1186242,1186508,1186581,1186650,1188042,1188977,1189458,1190512 CVE References: CVE-2021-27962,CVE-2021-28146,CVE-2021-28147,CVE-2021-28148,CVE-2021-29622 JIRA References: SLE-18254 Sources used: SUSE Manager Tools 12-BETA (src): cobbler-2.6.6-52.9.1, golang-github-prometheus-prometheus-2.27.1-4.21.1, grafana-7.5.7-4.15.1, mgr-cfg-4.3.2-4.15.1, mgr-custom-info-4.3.2-4.9.1, mgr-daemon-4.3.2-4.15.1, mgr-osad-4.3.2-4.18.2, mgr-push-4.3.1-4.9.1, mgr-virtualization-4.3.1-4.9.2, prometheus-blackbox_exporter-0.19.0-3.3.1, rhnlib-4.3.1-24.18.1, spacecmd-4.3.4-41.27.1, spacewalk-client-tools-4.3.4-55.33.1, spacewalk-koan-4.3.1-27.9.1, spacewalk-oscap-4.3.1-22.9.1, spacewalk-remote-utils-4.3.1-27.9.1, supportutils-plugin-susemanager-client-4.3.1-9.12.1, suseRegisterInfo-4.3.1-28.15.1, system-user-grafana-1.0.0-3.5.1, system-user-prometheus-1.0.0-3.5.1, sysuser-tools-2.0-4.5.1, uyuni-common-libs-4.3.1-3.21.1, zypp-plugin-spacewalk-1.0.10-33.15.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2021:3908-1: An update that solves 6 vulnerabilities, contains four features and has 27 fixes is now available. Category: security (moderate) Bug References: 1164192,1167586,1168327,1170823,1173103,1173692,1175478,1180650,1181223,1184659,1185131,1186242,1186287,1186310,1186508,1186581,1186650,1186674,1186738,1187787,1187813,1188042,1188170,1188259,1188647,1188846,1188977,1189040,1190265,1190446,1190512,1191412,1191448 CVE References: CVE-2021-21996,CVE-2021-27962,CVE-2021-28146,CVE-2021-28147,CVE-2021-28148,CVE-2021-29622 JIRA References: ECO-3212,SLE-18028,SLE-18033,SLE-18254 Sources used: SUSE Manager Tools 15-BETA (src): dracut-saltboot-0.1.1628156312.dbd0dec-3.27.1, golang-github-prometheus-prometheus-2.27.1-6.21.2, grafana-7.5.7-4.15.3, hwdata-0.334-6.5.1, koan-3.0.1-7.12.1, mgr-cfg-4.3.2-4.15.1, mgr-custom-info-4.3.2-4.9.1, mgr-daemon-4.3.2-4.15.2, mgr-osad-4.3.2-4.18.2, mgr-push-4.3.1-4.9.3, mgr-virtualization-4.3.1-4.9.3, prometheus-blackbox_exporter-0.19.0-3.3.2, python-contextvars-2.4-3.3.1, python-hwdata-2.3.5-5.7.1, python-immutables-0.11-3.3.1, python-jabberpy-0.5-5.5.1, rhnlib-4.3.1-6.18.2, salt-3003.3-8.44.1, spacecmd-4.3.4-6.27.1, spacewalk-client-tools-4.3.4-6.33.3, spacewalk-koan-4.3.1-6.9.2, spacewalk-oscap-4.3.1-6.9.2, spacewalk-remote-utils-4.3.1-6.9.2, supportutils-plugin-susemanager-client-4.3.1-6.12.2, suseRegisterInfo-4.3.1-6.15.2, system-user-grafana-1.0.0-3.5.1, system-user-prometheus-1.0.0-3.5.1, uyuni-common-libs-4.3.1-3.21.2, zypp-plugin-spacewalk-1.0.10-6.15.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.