Impact
HTTP server susceptible to a Denial of Service through unbounded cardinality, and potential memory exhaustion, when handling requests with non-standard HTTP methods.
Affected Configuration
In order to be affected, an instrumented software must
- Use any of
promhttp.InstrumentHandler* middleware except RequestsInFlight.
- Do not filter any specific methods (e.g GET) before middleware.
- Pass metric with
method label name to our middleware.
- Not have any firewall/LB/proxy that filters away requests with unknown
method.
Patches
Workarounds
If you cannot upgrade to v1.11.1 or above, in order to stop being affected you can:
- Remove
method label name from counter/gauge you use in the InstrumentHandler.
- Turn off affected promhttp handlers.
- Add custom middleware before promhttp handler that will sanitize the request method given by Go http.Request.
- Use a reverse proxy or web application firewall, configured to only allow a limited set of methods.
For more information
If you have any questions or comments about this advisory:
Impact
HTTP server susceptible to a Denial of Service through unbounded cardinality, and potential memory exhaustion, when handling requests with non-standard HTTP methods.
Affected Configuration
In order to be affected, an instrumented software must
promhttp.InstrumentHandler*middleware exceptRequestsInFlight.methodlabel name to our middleware.method.Patches
Workarounds
If you cannot upgrade to v1.11.1 or above, in order to stop being affected you can:
methodlabel name from counter/gauge you use in the InstrumentHandler.For more information
If you have any questions or comments about this advisory:
prometheus-team@googlegroups.com