CVE-2022-29190 with telegraf?

I am making use of telegraf in my application.

I want to know whether it can be a cause for CVE-2022-29190.

I understand that it has no dependency, but I see it mentioned here.

Hello @mghildiy,
I’m not sure.
According to chat gpt

CVE-2022-29190 is a high-severity vulnerability related to the Pion DTLS library, which is a Go implementation of the Datagram Transport Layer Security (DTLS) protocol. This vulnerability can be exploited by an attacker to cause a denial of service (DoS) through an infinite loop. Specifically, attackers can send specially crafted packets that trigger an infinite loop in the DTLS server or client, rendering it unresponsive and unable to handle legitimate requests. This vulnerability affects versions of the library up to 2.1.3, and it was patched in version 2.1.4. There are no known workarounds for this issue, making it crucial for developers to update to the patched version to mitigate the risk​ (Vulert)​​ (DevHub)​.
Regarding Telegraf’s potential relation to CVE-2022-29190, it’s important to note that Telegraf itself is an agent for collecting, processing, aggregating, and writing metrics. If Telegraf or any plugins it uses depend on the affected version of the Pion DTLS library, then they could be vulnerable to this denial of service attack. However, without specific information on Telegraf’s use of this library, it’s difficult to say definitively. Developers using Telegraf in environments where DTLS might be used should review their dependencies and ensure that any use of the Pion DTLS library is updated to version 2.1.4 or later to avoid this vulnerability.

It does look like it is listed as a dependency in the Telegraf project

@jpowers would know more specifically though


The dependency is used by Telegraf in the x509_cert plugin. It is only used as a client to obtain x509 certificates by Telegraf. The current version used by Telegraf is v2.2.10. The affected version per CVE-2022-29190 is v2.1.4.

It looks like chore(deps): Bump from 2.0.13 to 2.1.5 by dependabot[bot] · Pull Request #11581 · influxdata/telegraf · GitHub updated Telegraf from v2.0.13 to v2.1.5 in Aug of 2022. That would have gone out with version v1.23.4 on August 16, 2022. I have not dug into if Telegraf was actually affected with the way dtls is used.

The link you provided is Ubuntu’s own CVE tracking and it tracks what versions of Telegraf in Ubuntu may have CVEs. We do not upload directly to Ubuntu or maintain any packaging in Ubuntu so you may need to ask Canonical.