CVE-2022-21698: HTTP method DOS; Prometheus client_golang <1.11.1 affected; Other web servers might be affected too

[Bartek Plotka <bartek () prometheus io>]

Hi,

Prometheus Team just published CVE-2022-21698
<https://github.com/prometheus/client_golang/security/advisories/GHSA-cg3q-j54f-5p7p>
that
relates to unbounded cardinality of HTTP method, which is not validated by
some HTTP server implementations (including Golang one). See the GitHub
security advisory
<https://github.com/prometheus/client_golang/security/advisories/GHSA-cg3q-j54f-5p7p>
for
more details on potential attack vectors, characteristics and workarounds.

Prometheus client_golang before 1.11.1 was affected. Newer versions are
patched. See the announcement.
<https://groups.google.com/g/prometheus-announce/c/zlCm4A7FwZU>

Note however that many metric implementations that gather metrics about
HTTP requests can be affected, even without using client_golang or using
different programming languages (!). We notified some common open-source
web-servers (including Kubernetes) projects and some of them were affected
(without client_golang) and patched subsequently.

We would like to thank Prometheus contributor David <https://github.com/dgl>,
for reporting this.

Thanks,
The Prometheus Team