Plan to update golang.org/x/net package?

[pbxqdown]

Security vuln BDSA-2023-2733 is found in golang.org/x/net package. The fix is to update the package to v0.30.0. The master branch currently has v0.29.0 package. It would be good if there is plan to update this package in the upcoming release to fix the vuln.

Please let me know if i can be of help work/test on it.

[electron0zero]

the shared link doesn't work, can you share the CVE link from cve.org? and share the details on how it impacts blackbox exporter?

we regularly update our dependencies but having more info would be helpful here.

[pbxqdown]

@electron0zero sure. Following is the vuln description:

Golang Go Vulnerable to Denial-of-Service (DoS) via HTTP/2 Rapid Request Cancellations
Description
Golang Go is vulnerable to a denial-of-service (DoS) issue due to a flaw in the HTTP/2 protocol. It is possible for malicious HTTP/2 clients to rapidly submit and cancel requests in a manner that results in excessive resource consumption. Note: CVE-2023-39325 is Go specific and is tracked as CVE-2023-44487 (BDSA-2023-2732) for other impacted implementations of the HTTP/2 network protocol. CVE-2023-44487 is listed as exploitable by the Cybersecurity & Infrastructure Security Agency in their Known Exploited Vulnerabilities Catalog and has reportedly been exploited in the wild from August 2023 through October 2023.
Technical Description
This issue exists due to how the HTTP/2 protocol permits clients to send RST_STREAM frames to signal that a stream should be canceled without any input from the server. This makes it possible for a client to rapidly create and reset requests while existing requests are still being executed and processed by the server. To remedy this issue, the vendor has updated the http2 implementation to limit the number of possible handler goroutines that can exist simultaneously to the http2.Server.MaxConcurrentStreams value. The newly implemented scheduleHandler() function now schedules handlers to start when existing handler finish.
Vulnerability Source
BDSA

It looks like the vuln may be exploited by an attacker on DoS.
Our internal security scanner indicates that it is a High Vuln fixed in v0.30.0 version of golang.org/x/net.

[electron0zero]

sorry, I don't think I understand the issue here.

the CVE is for WordPress, and we are a Prometheus exporter. we don't have anything to do with WordPress.

can you share the parts of the blackbox exporter code that's vulnerable to this CVE.

Please do not report raw vulnerability scanner results.

They are prone to false positives and cause the Prometheus team toil in verifying.

Please verify vulnerability reports and include specific details as to which components are directly exploitable.

[pbxqdown]

Sorry some mistake, just updated comment with correct description.
The vuln is from BDSA database, it offers a more accurate and comprehensive view of vulnerabilities compared to other sources like the National Vulnerability Database (NVD). BDSAs are proprietary reports created by Synopsys' Black Duck Cybersecurity Research Center, which provide detailed information on vulnerabilities in open source software.

[electron0zero]

I looked through CVE-2023-44487, and I don't think blackbox exporter can be exploited here.

we recommend folks to not expose blackbox_exporter on the internet, and also if they wish to do so, they should put it behind a reverse proxy or a Load Balancer. In those cases, the reverse proxy or the load balancer should prevent the HTTP2 denial of service attack that's described in CVE-2023-44487.

for future reference, please share full details on the CVE and how it impacts blackbox exporter. It's hard to act on to scanner results, and it's not possible to evaluate the CVE in question when it's reported by a paid service that has it's own CVE numbering scheme, and no public info on the CVE.

we have #1327, I will find some time to take a look at it.

[electron0zero]

update: #1340 is merged, and updated golang.org/x/net to 0.33.0