Описание
Уязвимость пакета http2 языка программирования Go связана c неограниченным распределением ресурсов. Эксплуатация уязвимости может позволить нарушителю, действующему удаленно, вызвать отказ в обслуживании
Вендор
Red Hat Inc.
Novell Inc.
Сообщество свободного программного обеспечения
Canonical Ltd.
ООО «Ред Софт»
Fedora Project
The Go Project
Наименование ПО
Red Hat Enterprise Linux
OpenSUSE Leap
Debian GNU/Linux
Red Hat Ceph Storage
Red Hat Software Collections
openSUSE Tumbleweed
Red Hat Storage
Ubuntu
Red Hat Quay
Openshift Service Mesh
РЕД ОС
SUSE Linux Enterprise High Performance Computing
Suse Linux Enterprise Server
SUSE Linux Enterprise Server for SAP Applications
SUSE Manager Proxy
SUSE Manager Server
Suse Linux Enterprise Desktop
Red Hat Openshift Data Foundation
SUSE Linux Enterprise Module for Development Tools
Red Hat OpenShift GitOps
Red Hat OpenShift Container Platform
Red Hat Satellite
SUSE Manager Retail Branch Server
Red Hat OpenStack Platform
SUSE Enterprise Storage
Red Hat Web Terminal
Node Maintenance Operator
Application Interconnect
Fedora
SUSE Linux Enterprise Real Time
Red Hat OpenShift on AWS
Migration Toolkit for Virtualization
Red Hat OpenShift Virtualization
OpenShift Serverless
Red Hat Ansible Automation Platform
Go
Red Hat Developer Tools
OpenShift Developer Tools and Services for OCP
Red Hat Advanced Cluster Security
Red Hat OpenShift Dev Spaces
Self Node Remediation
Logging subsystem for Red Hat OpenShift
SUSE Liberty Linux
OpenShift API for Data Protection
OpenShift Secondary Scheduler Operator
Red Hat Advanced Cluster Management for Kubernetes
Migration Toolkit for Containers
Red Hat OpenShift distributed tracing
http2
Satellite Client
Версия ПО
7 (Red Hat Enterprise Linux)
15.5 (OpenSUSE Leap)
8 (Red Hat Enterprise Linux)
10 (Debian GNU/Linux)
3 (Red Hat Ceph Storage)
- (Red Hat Software Collections)
- (openSUSE Tumbleweed)
3 (Red Hat Storage)
20.04 LTS (Ubuntu)
3 (Red Hat Quay)
16.04 ESM (Ubuntu)
15.3 (OpenSUSE Leap)
2 (Openshift Service Mesh)
11 (Debian GNU/Linux)
12 (Debian GNU/Linux)
7.3 (РЕД ОС)
15.4 (OpenSUSE Leap)
15 SP3 (SUSE Linux Enterprise High Performance Computing)
15 SP3 (Suse Linux Enterprise Server)
15 SP3 (SUSE Linux Enterprise Server for SAP Applications)
4.2 (SUSE Manager Proxy)
4.2 (SUSE Manager Server)
15 SP3 (Suse Linux Enterprise Desktop)
4 (Red Hat Openshift Data Foundation)
15 SP3 (SUSE Linux Enterprise Module for Development Tools)
- (Red Hat OpenShift GitOps)
15 SP4 (Suse Linux Enterprise Server)
4 (Red Hat OpenShift Container Platform)
6 (Red Hat Satellite)
15 SP4 (Suse Linux Enterprise Desktop)
15 SP4 (SUSE Linux Enterprise Server for SAP Applications)
4.2 (SUSE Manager Retail Branch Server)
22.04 LTS (Ubuntu)
9 (Red Hat Enterprise Linux)
16.2 (Red Hat OpenStack Platform)
4.3 (SUSE Manager Retail Branch Server)
4.3 (SUSE Manager Proxy)
4.3 (SUSE Manager Server)
15 SP4 (SUSE Linux Enterprise High Performance Computing)
4.10 (Red Hat OpenShift Container Platform)
7.1 (SUSE Enterprise Storage)
15 SP4 (SUSE Linux Enterprise Module for Development Tools)
- (Red Hat Web Terminal)
- (Node Maintenance Operator)
1.0 (Application Interconnect)
37 (Fedora)
15 SP3-LTSS (Suse Linux Enterprise Server)
17.0 (Red Hat OpenStack Platform)
16.1 (Red Hat OpenStack Platform)
15 SP3-ESPOS (SUSE Linux Enterprise High Performance Computing)
15 SP3-LTSS (SUSE Linux Enterprise High Performance Computing)
15 SP3 (SUSE Linux Enterprise Real Time)
5 (Red Hat Ceph Storage)
38 (Fedora)
15 SP5 (SUSE Linux Enterprise Server for SAP Applications)
15 SP5 (Suse Linux Enterprise Server)
15 SP5 (Suse Linux Enterprise Desktop)
- (Red Hat OpenShift on AWS)
- (Migration Toolkit for Virtualization)
4 (Red Hat OpenShift Virtualization)
- (OpenShift Serverless)
15 SP5 (SUSE Linux Enterprise High Performance Computing)
15 SP5 (SUSE Linux Enterprise Module for Development Tools)
2 (Red Hat Ansible Automation Platform)
18.04 ESM (Ubuntu)
до 1.18.2 (Go)
4.13 (Red Hat OpenShift Container Platform)
4.11 (Red Hat OpenShift Container Platform)
- (Red Hat Developer Tools)
4.12 (Red Hat OpenShift Container Platform)
4.11 (OpenShift Developer Tools and Services for OCP)
3 (Red Hat Advanced Cluster Security)
- (Red Hat OpenShift Dev Spaces)
- (Self Node Remediation)
2.1 (Openshift Service Mesh)
5.4 (Logging subsystem for Red Hat OpenShift)
- (Logging subsystem for Red Hat OpenShift)
9 (SUSE Liberty Linux)
8 (SUSE Liberty Linux)
6.14 for RHEL 8 (Red Hat Satellite)
от 1.19.0 до 1.19.3 (Go)
1.1 for RHEL 8 (OpenShift API for Data Protection)
1.0 for RHEL 8 (OpenShift API for Data Protection)
1 on RHEL 8 (OpenShift Serverless)
1.1 for RHEL 8 (OpenShift Secondary Scheduler Operator)
2.7 for RHEL 8 (Red Hat Advanced Cluster Management for Kubernetes)
1.7 (Migration Toolkit for Containers)
2 (Red Hat OpenShift distributed tracing)
до 0.4.0 (http2)
4.9 (OpenShift Developer Tools and Services for OCP)
2.3 for RHEL 8 (Red Hat Ansible Automation Platform)
5.3 (Red Hat Ceph Storage)
2.3 for RHEL 8 (Openshift Service Mesh)
6 for RHEL 7 (Satellite Client)
6 for RHEL 8 (Satellite Client)
6 for RHEL 9 (Satellite Client)
Тип ПО
Операционная система
Прикладное ПО информационных систем
Сетевое средство
ПО программно-аппаратного средства
ПО виртуализации/ПО виртуального программно-аппаратного средства
Сетевое программное средство
Операционные системы и аппаратные платформы
ООО «Ред Софт» РЕД ОС 7.3
Уровень опасности уязвимости
Средний уровень опасности (базовая оценка CVSS 2.0 составляет 5)
Средний уровень опасности (базовая оценка CVSS 3.0 составляет 5,3)
Возможные меры по устранению уязвимости
Использование рекомендаций:
Для Go:
https://go-review.googlesource.com/c/net/+/455635
https://go-review.googlesource.com/c/go/+/455717
https://github.com/golang/go/issues/56350
Для РедОС:
http://repo.red-soft.ru/redos/7.3c/x86_64/updates/
Для Fedora:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NQGNAXK3YBPMUP3J4TECIRDHFGW37522/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PUM4DIVOLJCBK5ZDP4LJOL24GXT3YSIR/
Для Debian GNU/Linux:
https://security-tracker.debian.org/tracker/CVE-2022-41717
Для программных продуктов Red Hat Inc.:
https://access.redhat.com/security/cve/CVE-2022-41717
Для программных продуктов Novell Inc.:
https://www.suse.com/security/cve/CVE-2022-41717.html
Для Ubuntu:
https://ubuntu.com/security/notices/USN-6038-2
https://ubuntu.com/security/notices/USN-6038-1
Статус уязвимости
Подтверждена производителем
Наличие эксплойта
Данные уточняются
Информация об устранении
Уязвимость устранена
Ссылки на источники
Идентификаторы других систем описаний уязвимостей
- CVE
EPSS
Процентиль: 72%
0.00714
Низкий
5.3 Medium
CVSS3
5 Medium
CVSS2
Связанные уязвимости
CVSS3: 5.3
ubuntu
около 3 лет назад
An attacker can cause excessive memory growth in a Go server accepting HTTP/2 requests. HTTP/2 server connections contain a cache of HTTP header keys sent by the client. While the total number of entries in this cache is capped, an attacker sending very large keys can cause the server to allocate approximately 64 MiB per open connection.
CVSS3: 5.3
redhat
около 3 лет назад
An attacker can cause excessive memory growth in a Go server accepting HTTP/2 requests. HTTP/2 server connections contain a cache of HTTP header keys sent by the client. While the total number of entries in this cache is capped, an attacker sending very large keys can cause the server to allocate approximately 64 MiB per open connection.
CVSS3: 5.3
nvd
около 3 лет назад
An attacker can cause excessive memory growth in a Go server accepting HTTP/2 requests. HTTP/2 server connections contain a cache of HTTP header keys sent by the client. While the total number of entries in this cache is capped, an attacker sending very large keys can cause the server to allocate approximately 64 MiB per open connection.
EPSS
Процентиль: 72%
0.00714
Низкий
5.3 Medium
CVSS3
5 Medium
CVSS2