Описание
Уязвимость декодера HPACK языка программирования Golang связана с неконтролируемым потребление ресурсов . Эксплуатация уязвимости может позволить нарушителю, действующему локально, вызвать отказ в обслуживании
Вендор
Novell Inc.
Red Hat Inc.
Сообщество свободного программного обеспечения
ООО «Ред Софт»
Fedora Project
The Go Project
АО "НППКТ"
Наименование ПО
OpenSUSE Leap
Red Hat Enterprise Linux
SUSE Linux Enterprise Server for SAP Applications
Suse Linux Enterprise Server
Debian GNU/Linux
openSUSE Tumbleweed
Red Hat Quay
JBoss A-MQ
SUSE CaaS Platform
SUSE Linux Enterprise High Performance Computing
РЕД ОС
SUSE Manager Proxy
SUSE Manager Server
Red Hat Openshift Data Foundation
SUSE Enterprise Storage
Red Hat Advanced Cluster Management for Kubernetes
Red Hat OpenShift Container Platform
Red Hat Satellite
Suse Linux Enterprise Desktop
SUSE Manager Retail Branch Server
SUSE Linux Enterprise Module for Basesystem
SUSE Linux Enterprise Module for Development Tools
Red Hat Web Terminal
Node Maintenance Operator
Fedora
OpenShift Developer Tools and Services
SUSE Linux Enterprise Real Time
Red Hat Ceph Storage
SUSE Linux Enterprise Module for Package Hub
Go
Red Hat OpenShift on AWS
Migration Toolkit for Applications
SUSE Linux Enterprise Module for Containers
Red Hat Ansible Automation Platform
Red Hat Migration Toolkit for Containers
OpenShift Dev Spaces
Red Hat Advanced Cluster Security
Self Node Remediation
hpack
http2
Red Hat OpenShift distributed tracing
Openshift Service Mesh
SUSE Manager Server Module
SUSE Liberty Linux
ОСОН ОСнова Оnyx
SUSE Manager Client Tools
SUSE Manager Proxy Module
SUSE Linux Micro
Версия ПО
15.5 (OpenSUSE Leap)
8 (Red Hat Enterprise Linux)
15 SP1 (SUSE Linux Enterprise Server for SAP Applications)
12 SP5 (Suse Linux Enterprise Server)
12 SP5 (SUSE Linux Enterprise Server for SAP Applications)
10 (Debian GNU/Linux)
- (openSUSE Tumbleweed)
3 (Red Hat Quay)
7 (JBoss A-MQ)
4.0 (SUSE CaaS Platform)
15 SP1-LTSS (Suse Linux Enterprise Server)
15 SP1-LTSS (SUSE Linux Enterprise High Performance Computing)
11 (Debian GNU/Linux)
12 (Debian GNU/Linux)
7.3 (РЕД ОС)
15.4 (OpenSUSE Leap)
15 SP3 (SUSE Linux Enterprise Server for SAP Applications)
4.2 (SUSE Manager Proxy)
4.2 (SUSE Manager Server)
4 (Red Hat Openshift Data Foundation)
7 (SUSE Enterprise Storage)
15 SP2 (SUSE Linux Enterprise Server for SAP Applications)
15 SP2-LTSS (SUSE Linux Enterprise High Performance Computing)
2 (Red Hat Advanced Cluster Management for Kubernetes)
15 SP4 (Suse Linux Enterprise Server)
4 (Red Hat OpenShift Container Platform)
6 (Red Hat Satellite)
15 SP4 (Suse Linux Enterprise Desktop)
15 SP4 (SUSE Linux Enterprise Server for SAP Applications)
4.2 (SUSE Manager Retail Branch Server)
9 (Red Hat Enterprise Linux)
15 SP2-LTSS (Suse Linux Enterprise Server)
4.3 (SUSE Manager Retail Branch Server)
4.3 (SUSE Manager Proxy)
4.3 (SUSE Manager Server)
15 SP4 (SUSE Linux Enterprise High Performance Computing)
7.1 (SUSE Enterprise Storage)
15 SP4 (SUSE Linux Enterprise Module for Basesystem)
15 SP4 (SUSE Linux Enterprise Module for Development Tools)
- (Red Hat Web Terminal)
- (Node Maintenance Operator)
37 (Fedora)
- (OpenShift Developer Tools and Services)
15 SP3-LTSS (Suse Linux Enterprise Server)
15 SP3-ESPOS (SUSE Linux Enterprise High Performance Computing)
15 SP3-LTSS (SUSE Linux Enterprise High Performance Computing)
15 SP3 (SUSE Linux Enterprise Real Time)
5 (Red Hat Ceph Storage)
15 SP4 (SUSE Linux Enterprise Module for Package Hub)
38 (Fedora)
15 SP5 (SUSE Linux Enterprise Server for SAP Applications)
15 SP5 (Suse Linux Enterprise Server)
15 SP5 (Suse Linux Enterprise Desktop)
до 1.19.6 (Go)
1.20.0 (Go)
- (Red Hat OpenShift on AWS)
6 (Migration Toolkit for Applications)
15 SP4 (SUSE Linux Enterprise Module for Containers)
15 SP5 (SUSE Linux Enterprise High Performance Computing)
15 SP5 (SUSE Linux Enterprise Module for Basesystem)
15 SP5 (SUSE Linux Enterprise Module for Development Tools)
2 (Red Hat Ansible Automation Platform)
1.7 (Red Hat Migration Toolkit for Containers)
4.13 (Red Hat OpenShift Container Platform)
15 SP5 (SUSE Linux Enterprise Module for Package Hub)
- (OpenShift Dev Spaces)
3 (Red Hat Advanced Cluster Security)
- (Self Node Remediation)
до 0.7.0 (hpack)
до 0.7.0 (http2)
- (Red Hat OpenShift distributed tracing)
2.1 (Openshift Service Mesh)
4.2 (SUSE Manager Server Module)
4.3 (SUSE Manager Server Module)
9 (SUSE Liberty Linux)
15 SP5 (SUSE Linux Enterprise Module for Containers)
15 SP6 (Suse Linux Enterprise Desktop)
15 SP6 (Suse Linux Enterprise Server)
15 SP6 (SUSE Linux Enterprise Server for SAP Applications)
15 SP6 (SUSE Linux Enterprise High Performance Computing)
15 SP6 (SUSE Linux Enterprise Module for Basesystem)
15 SP6 (SUSE Linux Enterprise Module for Package Hub)
15.6 (OpenSUSE Leap)
15 SP6 (SUSE Linux Enterprise Module for Development Tools)
до 2.11 (ОСОН ОСнова Оnyx)
15 SP6 (SUSE Linux Enterprise Module for Containers)
12 (SUSE Manager Client Tools)
15 (SUSE Manager Client Tools)
for RHEL, Liberty and Clones 9-CLIENT-TOOLS (SUSE Manager Client Tools)
for SLE Micro 5 (SUSE Manager Client Tools)
4.2 (SUSE Manager Proxy Module)
4.3 (SUSE Manager Proxy Module)
15 SP7 (Suse Linux Enterprise Desktop)
15 SP7 (SUSE Linux Enterprise High Performance Computing)
15 SP7 (Suse Linux Enterprise Server)
15 SP7 (SUSE Linux Enterprise Server for SAP Applications)
15 SP7 (SUSE Linux Enterprise Module for Basesystem)
15 SP7 (SUSE Linux Enterprise Module for Package Hub)
15 SP7 (SUSE Linux Enterprise Module for Containers)
6.0 (SUSE Linux Micro)
6.1 (SUSE Linux Micro)
12-BETA (SUSE Manager Client Tools)
Тип ПО
Операционная система
Прикладное ПО информационных систем
Сетевое средство
Сетевое программное средство
Операционные системы и аппаратные платформы
Novell Inc. OpenSUSE Leap 15.5
Red Hat Inc. Red Hat Enterprise Linux 8
Novell Inc. SUSE Linux Enterprise Server for SAP Applications 15 SP1
Novell Inc. Suse Linux Enterprise Server 12 SP5
Novell Inc. SUSE Linux Enterprise Server for SAP Applications 12 SP5
Сообщество свободного программного обеспечения Debian GNU/Linux 10
Novell Inc. openSUSE Tumbleweed -
Novell Inc. Suse Linux Enterprise Server 15 SP1-LTSS
Сообщество свободного программного обеспечения Debian GNU/Linux 11
Сообщество свободного программного обеспечения Debian GNU/Linux 12
ООО «Ред Софт» РЕД ОС 7.3
Novell Inc. OpenSUSE Leap 15.4
Novell Inc. SUSE Linux Enterprise Server for SAP Applications 15 SP3
Novell Inc. SUSE Linux Enterprise Server for SAP Applications 15 SP2
Novell Inc. Suse Linux Enterprise Server 15 SP4
Novell Inc. Suse Linux Enterprise Desktop 15 SP4
Novell Inc. SUSE Linux Enterprise Server for SAP Applications 15 SP4
Red Hat Inc. Red Hat Enterprise Linux 9
Novell Inc. Suse Linux Enterprise Server 15 SP2-LTSS
Fedora Project Fedora 37
Novell Inc. Suse Linux Enterprise Server 15 SP3-LTSS
Novell Inc. SUSE Linux Enterprise Real Time 15 SP3
Fedora Project Fedora 38
Novell Inc. SUSE Linux Enterprise Server for SAP Applications 15 SP5
Novell Inc. Suse Linux Enterprise Server 15 SP5
Novell Inc. Suse Linux Enterprise Desktop 15 SP5
Novell Inc. SUSE Liberty Linux 9
Novell Inc. Suse Linux Enterprise Desktop 15 SP6
Novell Inc. Suse Linux Enterprise Server 15 SP6
Novell Inc. SUSE Linux Enterprise Server for SAP Applications 15 SP6
Novell Inc. OpenSUSE Leap 15.6
АО "НППКТ" ОСОН ОСнова Оnyx до 2.11
Novell Inc. Suse Linux Enterprise Desktop 15 SP7
Novell Inc. Suse Linux Enterprise Server 15 SP7
Novell Inc. SUSE Linux Enterprise Server for SAP Applications 15 SP7
Novell Inc. SUSE Linux Micro 6.0
Novell Inc. SUSE Linux Micro 6.1
Уровень опасности уязвимости
Высокий уровень опасности (базовая оценка CVSS 2.0 составляет 7,8)
Высокий уровень опасности (базовая оценка CVSS 3.1 составляет 7,5)
Возможные меры по устранению уязвимости
В условиях отсутствия обновлений безопасности от производителя рекомендуется придерживаться "Рекомендаций по безопасной настройке операционных систем LINUX", изложенных в методическом документе ФСТЭК России, утверждённом 25 декабря 2022 года.
Использование рекомендаций:
Для golang:
https://go.dev/cl/468135
https://go.dev/cl/468295
https://go.dev/issue/57855
https://groups.google.com/g/golang-announce/c/V0aBFqaFs_E
https://pkg.go.dev/vuln/GO-2023-1571
Для Fedora:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4MA5XS5DAOJ5PKKNG5TUXKPQOFHT5VBC/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RGW7GE2Z32ZT47UFAQFDRQE33B7Q7LMT/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RLBQ3A7ROLEQXQLXFDLNJ7MYPKG5GULE/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XX3IMUTZKRQ73PBZM4E2JP4BKYH4C6XE/
Для Debian GNU/Linux:
https://security-tracker.debian.org/tracker/CVE-2022-41723
Для программных продуктов Red Hat Inc.:
https://access.redhat.com/security/cve/CVE-2022-41723
Для РедОС:
http://repo.red-soft.ru/redos/7.3c/x86_64/updates/
Для ОСОН ОСнова Оnyx (2.11):
Обновление программного обеспечения golang-golang-x-net до версии 1:0.7.0+dfsg-1
Для программных продуктов Novell Inc.:
https://www.suse.com/security/cve/CVE-2022-41723.html
Статус уязвимости
Подтверждена производителем
Наличие эксплойта
Данные уточняются
Информация об устранении
Уязвимость устранена
Ссылки на источники
Идентификаторы других систем описаний уязвимостей
- CVE
EPSS
Процентиль: 46%
0.00229
Низкий
7.5 High
CVSS3
7.8 High
CVSS2
Связанные уязвимости
CVSS3: 7.5
ubuntu
больше 2 лет назад
A maliciously crafted HTTP/2 stream could cause excessive CPU consumption in the HPACK decoder, sufficient to cause a denial of service from a small number of small requests.
CVSS3: 7.5
redhat
больше 2 лет назад
A maliciously crafted HTTP/2 stream could cause excessive CPU consumption in the HPACK decoder, sufficient to cause a denial of service from a small number of small requests.
CVSS3: 7.5
nvd
больше 2 лет назад
A maliciously crafted HTTP/2 stream could cause excessive CPU consumption in the HPACK decoder, sufficient to cause a denial of service from a small number of small requests.
EPSS
Процентиль: 46%
0.00229
Низкий
7.5 High
CVSS3
7.8 High
CVSS2