PerfSonar by default enables a public webserver endpoint that proxies the prometheus node_exporter, thereby publishing excessive system information.
We do not assign a risk level to this vulnerability, because it would depend on what is published exactly, not only today, but also after future updates of components involved.
We consider it bad practice to serve - by default - such extensive system information to the world.
EGI SVG ID : EGI-SVG-2024-25
CVE ID : N/A
CVSS Score : N/A
All versions of perfSONAR are affected.
Sites running perfSonar are recommended to consider carrying out mitigation, see MITIGATION below unless this disables functionality required.
If anyone becomes aware of any situation where this information exposure has a significant impact on the EGI infrastructure then please inform EGI SVG.
Sites can mitigate by disabling the node_exporter service:
systemctl stop node_exporter.service
systemctl disable node_exporter.service
Alternatively the service can be firewalled to allow only trusted hosts/domains.
Lastly Prometheus can be configured to log less information [R 2].
The perfsonar-host-metrics package creates a public webserver endpoint at https://
TLP:CLEAR information - Unlimited distribution
https://advisories.egi.eu/Advisory-EGI-SVG-2024-25
Minor updates may be made without re-distribution to the sites.
This advisory is subject to the Creative Commons licence
https://creativecommons.org/licenses/by/4.0/ and
the EGI (https://www.egi.eu/) Software Vulnerability Group
must be credited. -----------------------------
Comments or questions should be sent to svg-rat at mailman.egi.eu
Vulnerabilities relevant for EGI can be reported at report-vulnerability at egi.eu
(see [R 99] for further details, and other information on SVG)
[R 1] https://docs.perfsonar.net/manage_daemons.html?highlight=exporter
[R 2] https://prometheus.io/docs/prometheus/latest/configuration/configuration/
[R 99] https://confluence.egi.eu/display/EGIBG/SVG+Advisories