New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Default config exposes /debug/pprof publicly #852
Labels
frozen-due-to-age
Locked due to a period of inactivity. Please open new issues or PRs if more discussion is needed.
keepalive
Never close from staleness
Comments
riptl
changed the title
Server exposed on 0.0.0.0:12345 with pprof metrics by default
Default config exposes /debug/pprof publicly
Aug 27, 2021
Thanks for reporting. I will talk with the team about this to decide next steps. |
rfratto
added a commit
to rfratto/agent
that referenced
this issue
Mar 10, 2022
…1:12346 This commit changes the default listen addresses to be 127.0.0.1:12345 (for HTTP) and 127.0.0.1:12346 (for gRPC). This makes listening on all interfaces opt-in rather than opt-out, avoiding accidental overexposure of access. Closes grafana#852. Additionally, the `-reload-addr` and `-reload-port` flags have been removed as a follow up to grafana#1476. Now that the HTTP and gRPC server are static for the lifetime of the application, it is impossible for the user to change their configuration file in such a way to cause it to shut down while performing a reload. This means that the `-reload-addr` and `-reload-port` no longer have a use and can be removed safely.
rfratto
added a commit
that referenced
this issue
Mar 14, 2022
* server: Change default listen addresses to 127.0.0.1:12345 / 127.0.0.1:12346 This commit changes the default listen addresses to be 127.0.0.1:12345 (for HTTP) and 127.0.0.1:12346 (for gRPC). This makes listening on all interfaces opt-in rather than opt-out, avoiding accidental overexposure of access. Closes #852. Additionally, the `-reload-addr` and `-reload-port` flags have been removed as a follow up to #1476. Now that the HTTP and gRPC server are static for the lifetime of the application, it is impossible for the user to change their configuration file in such a way to cause it to shut down while performing a reload. This means that the `-reload-addr` and `-reload-port` no longer have a use and can be removed safely. * fix extra references to old flags / port defaults * config: fix test * fix test assertion for reload address change
github-actions
bot
added
the
frozen-due-to-age
Locked due to a period of inactivity. Please open new issues or PRs if more discussion is needed.
label
Feb 22, 2024
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Labels
frozen-due-to-age
Locked due to a period of inactivity. Please open new issues or PRs if more discussion is needed.
keepalive
Never close from staleness
Issue
When installing the Grafana Cloud Agent (version 0.17.0) according to documented instructions on a server, the agent is going to expose port
12345
to any address (listening at0.0.0.0
) by default.This server is also exposing the Go pprof debugging API under
http://<server>:12345/debug/pprof/
.This is a minor security vulnerability, and common across the Go ecosystem: https://mmcloughlin.com/posts/your-pprof-is-showing
It is likely that any default installations of Grafana Cloud Agent suffer from this problem.
kubelet
had the same issue two years ago (CVE-2019-11248). It was rated CVSS 6.4.Reproduce
Method 1: All in one script
Follow Grafana Cloud's walkthrough instructions to install Grafana Agent.
Method 2: Manual config generator
Run the following command:
Substitute
<user>
for your Grafana Cloud username (numeric) and<api_key>
for your API key (beginning withey...
).It would generate a config like so:
When looking at the server config, this will indeed run the service under
0.0.0.0:12345
: https://grafana.com/docs/agent/latest/configuration/server-config/Finally, on your server:
Fix
The fix is simple: Default
http_listen_address
to127.0.0.1
.PS, I could not find any channels for responsible disclosure on your website nor this repo, so I decided to post it here, since the severity is quite low.
The text was updated successfully, but these errors were encountered: