diff mbox series

[meta-webserver,kirkstone,3/3] netdata: patch CVE-2023-22497

Message ID 20260304113956.2245844-3-skandigraun@gmail.com
State New
Headers show
Series [meta-networking,kirkstone,1/3] memcached: patch CVE-2023-46852 | expand

Commit Message

Gyorgy Sarvari March 4, 2026, 11:39 a.m. UTC 
Details: https://nvd.nist.gov/vuln/detail/CVE-2023-22497

This patch was selected based on its description, and based on the
associated PR. The description matches the issue described in the
NVD advisory, and the PR credits the same reported that is also
credited with the CVE ID (in the release notes of the application).

Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
---
 .../netdata/netdata/CVE-2023-22497.patch      | 120 ++++++++++++++++++
 .../netdata/netdata_1.34.1.bb                 |   4 +-
 2 files changed, 123 insertions(+), 1 deletion(-)
 create mode 100644 meta-webserver/recipes-webadmin/netdata/netdata/CVE-2023-22497.patch
diff mbox series

Patch

diff --git a/meta-webserver/recipes-webadmin/netdata/netdata/CVE-2023-22497.patch b/meta-webserver/recipes-webadmin/netdata/netdata/CVE-2023-22497.patch
new file mode 100644
index 0000000000..5aa2fde328
--- /dev/null
+++ b/meta-webserver/recipes-webadmin/netdata/netdata/CVE-2023-22497.patch
@@ -0,0 +1,120 @@ 
+From 1aa77696d0853ab515eddea8ee7a7d16d3813571 Mon Sep 17 00:00:00 2001
+From: Costa Tsaousis <costa@netdata.cloud>
+Date: Tue, 29 Nov 2022 17:28:17 +0200
+Subject: [PATCH] Strict control of streaming API keys and MACHINE GUIDs in
+ stream.conf (#14063)
+
+do not allow machine guids to be used as API keys
+
+CVE: CVE-2023-22497
+Upstream-Status: Backport [https://github.com/netdata/netdata/commit/811028aea2f146cc0ac2bc403f7d692add400d63]
+Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
+---
+ streaming/rrdpush.c   | 30 ++++++++++++++++++++++++------
+ streaming/stream.conf | 10 ++++++++++
+ 2 files changed, 34 insertions(+), 6 deletions(-)
+
+diff --git a/streaming/rrdpush.c b/streaming/rrdpush.c
+index 8829d1e..0a0d9fc 100644
+--- a/streaming/rrdpush.c
++++ b/streaming/rrdpush.c
+@@ -594,21 +594,30 @@ int rrdpush_receiver_thread_spawn(struct web_client *w, char *url) {
+ 
+     if(regenerate_guid(key, buf) == -1) {
+         rrdhost_system_info_free(system_info);
+-        log_stream_connection(w->client_ip, w->client_port, (key && *key)?key:"-", (machine_guid && *machine_guid)?machine_guid:"-", (hostname && *hostname)?hostname:"-", "ACCESS DENIED - INVALID KEY");
++        log_stream_connection(w->client_ip, w->client_port, key, machine_guid, hostname, "ACCESS DENIED - INVALID KEY");
+         error("STREAM [receive from [%s]:%s]: API key '%s' is not valid GUID (use the command uuidgen to generate one). Forbidding access.", w->client_ip, w->client_port, key);
+         return rrdpush_receiver_permission_denied(w);
+     }
+ 
+     if(regenerate_guid(machine_guid, buf) == -1) {
+         rrdhost_system_info_free(system_info);
+-        log_stream_connection(w->client_ip, w->client_port, (key && *key)?key:"-", (machine_guid && *machine_guid)?machine_guid:"-", (hostname && *hostname)?hostname:"-", "ACCESS DENIED - INVALID MACHINE GUID");
++        log_stream_connection(w->client_ip, w->client_port, key, machine_guid, hostname, "ACCESS DENIED - INVALID MACHINE GUID");
+         error("STREAM [receive from [%s]:%s]: machine GUID '%s' is not GUID. Forbidding access.", w->client_ip, w->client_port, machine_guid);
+         return rrdpush_receiver_permission_denied(w);
+     }
+ 
++    const char *api_key_type = appconfig_get(&stream_config, key, "type", "api");
++    if(!api_key_type || !*api_key_type) api_key_type = "unknown";
++    if(strcmp(api_key_type, "api") != 0) {
++        rrdhost_system_info_free(system_info);
++        log_stream_connection(w->client_ip, w->client_port, key, machine_guid, hostname, "ACCESS DENIED - API KEY GIVEN IS NOT API KEY");
++        error("STREAM [receive from [%s]:%s]: API key '%s' is a %s GUID. Forbidding access.", w->client_ip, w->client_port, key, api_key_type);
++        return rrdpush_receiver_permission_denied(w);
++    }
++
+     if(!appconfig_get_boolean(&stream_config, key, "enabled", 0)) {
+         rrdhost_system_info_free(system_info);
+-        log_stream_connection(w->client_ip, w->client_port, (key && *key)?key:"-", (machine_guid && *machine_guid)?machine_guid:"-", (hostname && *hostname)?hostname:"-", "ACCESS DENIED - KEY NOT ENABLED");
++        log_stream_connection(w->client_ip, w->client_port, key, machine_guid, hostname, "ACCESS DENIED - KEY NOT ENABLED");
+         error("STREAM [receive from [%s]:%s]: API key '%s' is not allowed. Forbidding access.", w->client_ip, w->client_port, key);
+         return rrdpush_receiver_permission_denied(w);
+     }
+@@ -619,7 +628,7 @@ int rrdpush_receiver_thread_spawn(struct web_client *w, char *url) {
+             if(!simple_pattern_matches(key_allow_from, w->client_ip)) {
+                 simple_pattern_free(key_allow_from);
+                 rrdhost_system_info_free(system_info);
+-                log_stream_connection(w->client_ip, w->client_port, (key && *key)?key:"-", (machine_guid && *machine_guid)?machine_guid:"-", (hostname && *hostname) ? hostname : "-", "ACCESS DENIED - KEY NOT ALLOWED FROM THIS IP");
++                log_stream_connection(w->client_ip, w->client_port, key, machine_guid, hostname, "ACCESS DENIED - KEY NOT ALLOWED FROM THIS IP");
+                 error("STREAM [receive from [%s]:%s]: API key '%s' is not permitted from this IP. Forbidding access.", w->client_ip, w->client_port, key);
+                 return rrdpush_receiver_permission_denied(w);
+             }
+@@ -627,9 +636,18 @@ int rrdpush_receiver_thread_spawn(struct web_client *w, char *url) {
+         }
+     }
+ 
++    const char *machine_guid_type = appconfig_get(&stream_config, machine_guid, "type", "machine");
++    if(!machine_guid_type || !*machine_guid_type) machine_guid_type = "unknown";
++    if(strcmp(machine_guid_type, "machine") != 0) {
++        rrdhost_system_info_free(system_info);
++        log_stream_connection(w->client_ip, w->client_port, key, machine_guid, hostname, "ACCESS DENIED - MACHINE GUID GIVEN IS NOT A MACHINE GUID");
++        error("STREAM [receive from [%s]:%s]: machine GUID '%s' is a %s GUID. Forbidding access.", w->client_ip, w->client_port, machine_guid, machine_guid_type);
++        return rrdpush_receiver_permission_denied(w);
++    }
++
+     if(!appconfig_get_boolean(&stream_config, machine_guid, "enabled", 1)) {
+         rrdhost_system_info_free(system_info);
+-        log_stream_connection(w->client_ip, w->client_port, (key && *key)?key:"-", (machine_guid && *machine_guid)?machine_guid:"-", (hostname && *hostname)?hostname:"-", "ACCESS DENIED - MACHINE GUID NOT ENABLED");
++        log_stream_connection(w->client_ip, w->client_port, key, machine_guid, hostname, "ACCESS DENIED - MACHINE GUID NOT ENABLED");
+         error("STREAM [receive from [%s]:%s]: machine GUID '%s' is not allowed. Forbidding access.", w->client_ip, w->client_port, machine_guid);
+         return rrdpush_receiver_permission_denied(w);
+     }
+@@ -640,7 +658,7 @@ int rrdpush_receiver_thread_spawn(struct web_client *w, char *url) {
+             if(!simple_pattern_matches(machine_allow_from, w->client_ip)) {
+                 simple_pattern_free(machine_allow_from);
+                 rrdhost_system_info_free(system_info);
+-                log_stream_connection(w->client_ip, w->client_port, (key && *key)?key:"-", (machine_guid && *machine_guid)?machine_guid:"-", (hostname && *hostname) ? hostname : "-", "ACCESS DENIED - MACHINE GUID NOT ALLOWED FROM THIS IP");
++                log_stream_connection(w->client_ip, w->client_port, key, machine_guid, hostname, "ACCESS DENIED - MACHINE GUID NOT ALLOWED FROM THIS IP");
+                 error("STREAM [receive from [%s]:%s]: Machine GUID '%s' is not permitted from this IP. Forbidding access.", w->client_ip, w->client_port, machine_guid);
+                 return rrdpush_receiver_permission_denied(w);
+             }
+diff --git a/streaming/stream.conf b/streaming/stream.conf
+index e65e76f..7229ade 100644
+--- a/streaming/stream.conf
++++ b/streaming/stream.conf
+@@ -115,6 +115,11 @@
+ [API_KEY]
+     # Default settings for this API key
+ 
++    # This GUID is to be used as an API key from remote agents connecting
++    # to this machine. Failure to match such a key, denies access.
++    # YOU MUST SET THIS FIELD ON ALL API KEYS.
++    type = api
++
+     # You can disable the API key, by setting this to: no
+     # The default (for unknown API keys) is: no
+     enabled = no
+@@ -184,6 +189,11 @@
+ # you can give settings for each sending host here.
+ 
+ [MACHINE_GUID]
++    # This GUID is to be used as a MACHINE GUID from remote agents connecting
++    # to this machine, not an API key.
++    # YOU MUST SET THIS FIELD ON ALL MACHINE GUIDs.
++    type = machine
++
+     # enable this host: yes | no
+     # When disabled, the parent will not receive metrics for this host.
+     # THIS IS NOT A SECURITY MECHANISM - AN ATTACKER CAN SET ANY OTHER GUID.
diff --git a/meta-webserver/recipes-webadmin/netdata/netdata_1.34.1.bb b/meta-webserver/recipes-webadmin/netdata/netdata_1.34.1.bb
index 516fde6281..4d57b84b07 100644
--- a/meta-webserver/recipes-webadmin/netdata/netdata_1.34.1.bb
+++ b/meta-webserver/recipes-webadmin/netdata/netdata_1.34.1.bb
@@ -7,7 +7,9 @@  LIC_FILES_CHKSUM = "file://LICENSE;md5=fc9b848046ef54b5eaee6071947abd24"
 
 DEPENDS += "libuv util-linux zlib"
 
-SRC_URI = "https://github.com/${BPN}/${BPN}/releases/download/v${PV}/${BPN}-v${PV}.tar.gz"
+SRC_URI = "https://github.com/${BPN}/${BPN}/releases/download/v${PV}/${BPN}-v${PV}.tar.gz \
+           file://CVE-2023-22497.patch \
+           "
 SRC_URI[sha256sum] = "8ea0786df0e952209c14efeb02e25339a0769aa3edc029e12816b8ead24a82d7"
 
 # default netdata.conf for netdata configuration