Bug 1208047

Summary: VUL-0: CVE-2022-46146: prometheus-ha_cluster_exporter: prometheus/exporter-toolkit: authentication bypass via cache poisoning
Product: [Novell Products] SUSE Security Incidents Reporter: Gabriele Sonnu <gabriele.sonnu>
Component: IncidentsAssignee: Stefano Torresi <stefano.torresi>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Major    
Priority: P3 - Medium CC: security-team, stefano.torresi
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/349120/
Whiteboard: CVSSv3.1:SUSE:CVE-2022-46146:8.8:(AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---
Bug Depends on:    
Bug Blocks: 1208046    

Description Gabriele Sonnu 2023-02-08 11:07:36 UTC 
Prometheus Exporter Toolkit is a utility package to build exporters. Prior to
versions 0.7.2 and 0.8.2, if someone has access to a Prometheus web.yml file and
users' bcrypted passwords, they can bypass security by poisoning the built-in
authentication cache. Versions 0.7.2 and 0.8.2 contain a fix for the issue.
There is no workaround, but attacker must have access to the hashed password to
use this functionality.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-46146
https://bugzilla.redhat.com/show_bug.cgi?id=2149436
http://www.openwall.com/lists/oss-security/2022/11/29/2
https://seclists.org/oss-sec/2022/q4/159
http://www.openwall.com/lists/oss-security/2022/11/29/1
http://www.openwall.com/lists/oss-security/2022/11/29/4
https://github.com/prometheus/exporter-toolkit/security/advisories/GHSA-7rg2-cxvp-9p7p
https://github.com/prometheus/exporter-toolkit/commit/5b1eab34484ddd353986bce736cd119d863e4ff5
https://www.cve.org/CVERecord?id=CVE-2022-46146
Comment 1 Gabriele Sonnu 2023-02-08 11:10:48 UTC 
prometheus/exporter-toolkit v0.7.1 is embedded in:

- SUSE:SLE-12-SP3:Update/prometheus-ha_cluster_exporter
- SUSE:SLE-15:Update/prometheus-ha_cluster_exporter
- SUSE:SLE-15-SP2:Update/prometheus-ha_cluster_exporter
- openSUSE:Factory/prometheus-ha_cluster_exporter

Fixing commit:

https://github.com/prometheus/exporter-toolkit/commit/5b1eab34484ddd353986bce736cd119d863e4ff5
Comment 2 Stefano Torresi 2023-02-09 16:28:14 UTC 
Acknowledged. Will submit new release soon.
Comment 6 Swamp Workflow Management 2023-02-20 17:19:14 UTC 
SUSE-SU-2023:0460-1: An update that solves one vulnerability and has one errata is now available.

Category: security (important)
Bug References: 1208046,1208047
CVE References: CVE-2022-46146
JIRA References: 
Sources used:
SUSE Linux Enterprise Module for SAP Applications 15-SP1 (src):    prometheus-ha_cluster_exporter-1.3.1+git.1676027782.ad3c0e9-150000.1.24.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 7 Swamp Workflow Management 2023-02-20 23:18:01 UTC 
SUSE-SU-2023:0465-1: An update that solves one vulnerability and has one errata is now available.

Category: security (important)
Bug References: 1208046,1208047
CVE References: CVE-2022-46146
JIRA References: 
Sources used:
openSUSE Leap 15.4 (src):    prometheus-ha_cluster_exporter-1.3.1+git.1676027782.ad3c0e9-150200.3.21.1
SUSE Linux Enterprise Module for SAP Applications 15-SP4 (src):    prometheus-ha_cluster_exporter-1.3.1+git.1676027782.ad3c0e9-150200.3.21.1
SUSE Linux Enterprise Module for SAP Applications 15-SP3 (src):    prometheus-ha_cluster_exporter-1.3.1+git.1676027782.ad3c0e9-150200.3.21.1
SUSE Linux Enterprise Module for SAP Applications 15-SP2 (src):    prometheus-ha_cluster_exporter-1.3.1+git.1676027782.ad3c0e9-150200.3.21.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 8 Maintenance Automation 2023-02-21 12:30:13 UTC 
SUSE-SU-2023:0467-1: An update that solves one vulnerability and has one fix can now be installed.

Category: security (important)
Bug References: 1208046, 1208047
CVE References: CVE-2022-46146
Sources used:
SUSE Linux Enterprise Server for SAP Applications 12 SP4 (src): prometheus-ha_cluster_exporter-1.3.1+git.1676027782.ad3c0e9-4.26.1
SUSE Linux Enterprise Server for SAP Applications 12 SP5 (src): prometheus-ha_cluster_exporter-1.3.1+git.1676027782.ad3c0e9-4.26.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 9 Maintenance Automation 2023-02-21 12:30:19 UTC 
SUSE-SU-2023:0465-1: An update that solves one vulnerability and has one fix can now be installed.

Category: security (important)
Bug References: 1208046, 1208047
CVE References: CVE-2022-46146
Sources used:
openSUSE Leap 15.4 (src): prometheus-ha_cluster_exporter-1.3.1+git.1676027782.ad3c0e9-150200.3.21.1
SAP Applications Module 15-SP2 (src): prometheus-ha_cluster_exporter-1.3.1+git.1676027782.ad3c0e9-150200.3.21.1
SAP Applications Module 15-SP3 (src): prometheus-ha_cluster_exporter-1.3.1+git.1676027782.ad3c0e9-150200.3.21.1
SAP Applications Module 15-SP4 (src): prometheus-ha_cluster_exporter-1.3.1+git.1676027782.ad3c0e9-150200.3.21.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 10 Maintenance Automation 2023-02-21 12:30:29 UTC 
SUSE-SU-2023:0460-1: An update that solves one vulnerability and has one fix can now be installed.

Category: security (important)
Bug References: 1208046, 1208047
CVE References: CVE-2022-46146
Sources used:
SAP Applications Module 15-SP1 (src): prometheus-ha_cluster_exporter-1.3.1+git.1676027782.ad3c0e9-150000.1.24.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.