Alerts This Week
Warning Icon 1 692
Alerts This Week
Warning Icon 1 692

SUSE Linux: 2023:2598-1 Important: Prometheus Auth Bypass

suse
Calendar Grey February 27, 2024
Dist Suse Esm H88
SUSE releases critical patch for golang-github-prometheus-prometheus focusing on several security flaws.
* bsc#1204023 * bsc#1208049 * bsc#1208298 * jsc#MSQA-665 * jsc#PED-3576

Summary

## This update for golang-github-prometheus-prometheus fixes the following issues: golang-github-prometheus-prometheus: * Security issues fixed in this version update to 2.37.6: * CVE-2022-46146: Fix basic authentication bypass vulnerability (bsc#1208049, jsc#PED-3576) * CVE-2022-41715: Update our regexp library to fix upstream (bsc#1204023) * CVE-2022-41723: Fixed go issue to avoid quadratic complexity in HPACK decoding (bsc#1208298) * Other non-security bugs fixed and changes in this version update to 2.37.6: * [BUGFIX] TSDB: Turn off isolation for Head compaction to fix a memory leak. * [BUGFIX] TSDB: Fix 'invalid magic number 0' error on Prometheus startup. * [BUGFIX] Agent: Fix validation of flag options and prevent WAL from growing more than desired.

Topics%20covered

Topics Covered

security advisory vulnerability SUSE important patch openSUSE auth bypass Prometheus

References

* bsc#1204023

* bsc#1208049

* bsc#1208298

* jsc#MSQA-665

* jsc#PED-3576

Cross-

* CVE-2022-41715

* CVE-2022-41723

* CVE-2022-46146

CVSS scores:

* CVE-2022-41715 ( SUSE ): 6.2 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

* CVE-2022-41715 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

* CVE-2022-41723 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

* CVE-2022-41723 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

* CVE-2022-46146 ( SUSE ): 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

* CVE-2022-46146 ( NVD ): 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Affected Products:

* openSUSE Leap 15.4

* openSUSE Leap 15.5

* SUSE Linux Enterprise Desktop 15 SP5

* SUSE Linux Enterprise High Performance Computing 15 SP5

* SUSE Linux Enterprise Micro 5.5

Severity
important
Lowest
Low
Medium
High
Critical

Announcement ID: SUSE-SU-2023:2598-1
Rating: important

Topics%20covered

Topics Covered

security advisory vulnerability SUSE important patch openSUSE auth bypass Prometheus

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.

Related News

Your message here