Skip to content

Fix for CVE-2021-31232: Alertmanager can expose local files content via specially crafted config #4129

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
Apr 27, 2021
Merged

Fix for CVE-2021-31232: Alertmanager can expose local files content via specially crafted config #4129

merged 2 commits into from
Apr 27, 2021

Conversation

pracucci
Copy link
Contributor

What this PR does:
This is the public PR for the CVE-2021-31232 fix.

Which issue(s) this PR fixes:
N/A

Checklist

  • Tests updated
  • Documentation added
  • CHANGELOG.md updated - the order of entries should be [CHANGE], [FEATURE], [ENHANCEMENT], [BUGFIX]

pracucci added 2 commits April 27, 2021 14:04
@pracucci
Improve alertmanager template checks
3fd099c 
Added HTTP and TLS validation
Use reflection to scan alertmanager config for validation
Do not allow SlackAPIURLFile, APIURLFile, APIKeyFile and ProxyURL too

Signed-off-by: Marco Pracucci <marco@pracucci.com>
@pracucci
Added CHANGELOG entry
7e4af8e 
Signed-off-by: Marco Pracucci <marco@pracucci.com>
@pracucci pracucci requested a review from pstibrany April 27, 2021 12:18
pstibrany
pstibrany approved these changes Apr 27, 2021
View reviewed changes
Copy link
Contributor

@pstibrany pstibrany left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you!

@pstibrany pstibrany merged commit 5fc0350 into cortexproject:master Apr 27, 2021
@pracucci pracucci deleted the fix-alertmanager-template-validation branch April 27, 2021 13:02
@breadly7 breadly7 mentioned this pull request Mar 22, 2022
Closed
2 tasks
@alanprot
Copy link
Member

alanprot commented May 5, 2022

Hi @pracucci :D One last question? :D

Is there a specific reason to block proxy_url from the receivers due this CVE?
We are allowing to set other URLs anyway, like the slack or OpsGenie URL, right? So seems that setting up the proxy should be the same?

@alvinlin123 , thoughts?

@pracucci
Copy link
Contributor Author

pracucci commented May 5, 2022

Is there a specific reason to block proxy_url from the receivers due this CVE?

I don't remember the details, sorry, but at that time we decided to block all proxy URLs because we thought they could be potentially exploited (but we didn't investigated deeply, maybe was just paranoid).

@alvinlin123
Copy link
Contributor

We should re-enable proxy_url. if today proxy_url has security, then the issue needs to be fixed at the Prometheus' alert manager repo because proxy_url is a config supported by Prometheus alert manager.

My guess for the paranoid that Marco mentioned is because with issue like CVE-2021-31232, proxy_url add to the risk because hackers have more place to hack and gain access to Cortex's local file. But without CVE-2021-31232 there is no risk of enable proxy_url.

@padyx padyx mentioned this pull request May 19, 2022
Merged
3 tasks
@supergicko supergicko mentioned this pull request Jun 10, 2022
Closed
@zeeZ zeeZ mentioned this pull request Jul 23, 2024
Open
@BradErz BradErz mentioned this pull request Oct 15, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@pstibrany pstibrany pstibrany approved these changes

Assignees
No one assigned
Labels
size/XL
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@pracucci @alanprot @alvinlin123 @pstibrany