CVE-2022-29190 with telegraf?

mghildiy · April 4, 2024, 8:59am

I am making use of telegraf in my application.

I want to know whether it can be a cause for CVE-2022-29190.

I understand that it has no dependency, but I see it mentioned here.

Anaisdg · April 4, 2024, 9:44pm

Hello @mghildiy,
I’m not sure.
According to chat gpt

CVE-2022-29190 is a high-severity vulnerability related to the Pion DTLS library, which is a Go implementation of the Datagram Transport Layer Security (DTLS) protocol. This vulnerability can be exploited by an attacker to cause a denial of service (DoS) through an infinite loop. Specifically, attackers can send specially crafted packets that trigger an infinite loop in the DTLS server or client, rendering it unresponsive and unable to handle legitimate requests. This vulnerability affects versions of the library up to 2.1.3, and it was patched in version 2.1.4. There are no known workarounds for this issue, making it crucial for developers to update to the patched version to mitigate the risk (Vulert) (DevHub).
Regarding Telegraf’s potential relation to CVE-2022-29190, it’s important to note that Telegraf itself is an agent for collecting, processing, aggregating, and writing metrics. If Telegraf or any plugins it uses depend on the affected version of the Pion DTLS library, then they could be vulnerable to this denial of service attack. However, without specific information on Telegraf’s use of this library, it’s difficult to say definitively. Developers using Telegraf in environments where DTLS might be used should review their dependencies and ensure that any use of the Pion DTLS library is updated to version 2.1.4 or later to avoid this vulnerability.

It does look like it is listed as a dependency in the Telegraf project

github.com

influxdata/telegraf/blob/c5e915e32bdcde56698e3eb61fc4b10114733971/docs/LICENSE_OF_DEPENDENCIES.md?plain=1#L302


      
          - github.com/openconfig/gnmi [Apache License 2.0](https://github.com/openconfig/gnmi/blob/master/LICENSE)
          - github.com/opencontainers/go-digest [Apache License 2.0](https://github.com/opencontainers/go-digest/blob/master/LICENSE)
          - github.com/opencontainers/image-spec [Apache License 2.0](https://github.com/opencontainers/image-spec/blob/master/LICENSE)
          - github.com/opensearch-project/opensearch-go [Apache License 2.0](https://github.com/opensearch-project/opensearch-go/blob/main/LICENSE.txt)
          - github.com/opentracing/opentracing-go [Apache License 2.0](https://github.com/opentracing/opentracing-go/blob/master/LICENSE)
          - github.com/p4lang/p4runtime [Apache License 2.0](https://github.com/p4lang/p4runtime/blob/main/LICENSE)
          - github.com/pborman/ansi [BSD 3-Clause "New" or "Revised" License](https://github.com/pborman/ansi/blob/master/LICENSE)
          - github.com/peterbourgon/unixtransport [Apache License 2.0](https://github.com/peterbourgon/unixtransport/blob/main/LICENSE)
          - github.com/philhofer/fwd [MIT License](https://github.com/philhofer/fwd/blob/master/LICENSE.md)
          - github.com/pierrec/lz4 [BSD 3-Clause "New" or "Revised" License](https://github.com/pierrec/lz4/blob/master/LICENSE)
          - github.com/pion/dtls [MIT License](https://github.com/pion/dtls/blob/master/LICENSES/MIT.txt)
          - github.com/pion/logging [MIT License](https://github.com/pion/logging/blob/master/LICENSES/MIT.txt)
          - github.com/pion/transport [MIT License](https://github.com/pion/transport/blob/master/LICENSES/MIT.txt)
          - github.com/pkg/browser [BSD 2-Clause "Simplified" License](https://github.com/pkg/browser/blob/master/LICENSE)
          - github.com/pkg/errors [BSD 2-Clause "Simplified" License](https://github.com/pkg/errors/blob/master/LICENSE)
          - github.com/pmezard/go-difflib [BSD 3-Clause Clear License](https://github.com/pmezard/go-difflib/blob/master/LICENSE)
          - github.com/prometheus-community/pro-bing [MIT License](https://github.com/prometheus-community/pro-bing/blob/main/LICENSE)
          - github.com/prometheus/client_golang [Apache License 2.0](https://github.com/prometheus/client_golang/blob/master/LICENSE)
          - github.com/prometheus/client_model [Apache License 2.0](https://github.com/prometheus/client_model/blob/master/LICENSE)
          - github.com/prometheus/common [Apache License 2.0](https://github.com/prometheus/common/blob/master/LICENSE)
          - github.com/prometheus/common/sigv4 [Apache License 2.0](https://github.com/prometheus/common/blob/master/LICENSE)

@jpowers would know more specifically though

jpowers · April 4, 2024, 10:08pm

@mghildiy,

The dependency github.com/pion/dtls is used by Telegraf in the x509_cert plugin. It is only used as a client to obtain x509 certificates by Telegraf. The current version used by Telegraf is v2.2.10. The affected version per CVE-2022-29190 is v2.1.4.

It looks like chore(deps): Bump github.com/pion/dtls/v2 from 2.0.13 to 2.1.5 by dependabot[bot] · Pull Request #11581 · influxdata/telegraf · GitHub updated Telegraf from v2.0.13 to v2.1.5 in Aug of 2022. That would have gone out with version v1.23.4 on August 16, 2022. I have not dug into if Telegraf was actually affected with the way dtls is used.

The link you provided is Ubuntu’s own CVE tracking and it tracks what versions of Telegraf in Ubuntu may have CVEs. We do not upload directly to Ubuntu or maintain any packaging in Ubuntu so you may need to ask Canonical.

Topic		Replies	Views
Telegraf broken after update? Telegraf telegraf	5	537	February 11, 2022
Telegraf v1.5.0-rc2 telegraf	0	566	December 11, 2017
Vulnerabilities Telegraf telegraf	3	206	January 25, 2024
Telegraf v1.6.0-rc2 telegraf	0	977	April 3, 2018
Telegraf 1.18.0-rc1 Now Available Telegraf influxdb , telegraf , release-notes	1	1033	March 10, 2021

CVE-2022-29190 with telegraf?

Related Topics