Описание
xz is a compression and decompression library focusing on the xz format completely written in Go. The function readUvarint used to read the xz container format may not terminate a loop provide malicous input. The problem has been fixed in release v0.5.8. As a workaround users can limit the size of the compressed file input to a reasonable size for their use case. The standard library had recently the same issue and got the CVE-2020-16845 allocated.
A flaw was found in github.com/ulikunitz/xz. The function readUvarint may not terminate a loop what could lead to denial of service (DoS).
Отчет
In OpenShift Container Platform (OCP), OpenShift ServiceMesh (OSSM) and Red Hat Advanced Cluster Management for Kubernetes (RHACM) the affected components are behind OpenShift OAuth authentication, therefore the impact is low. In OCP before 4.7 the buildah, skopeo and podman packages include vulnerable version of github.com/ulikunitz/xz, but these OCP releases are already in the Maintenance Phase of the support, hence affected components are marked as wontfix. This may be fixed in the future.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Migration Toolkit for Containers | openshift-migration-plugin-container | Affected | ||
| Migration Toolkit for Containers | rhmtc/openshift-migration-controller-rhel8 | Not affected | ||
| Red Hat Advanced Cluster Management for Kubernetes 2 | multicloud-operators-application-container | Affected | ||
| Red Hat Advanced Cluster Management for Kubernetes 2 | multicloud-operators-channel-container | Will not fix | ||
| Red Hat Advanced Cluster Management for Kubernetes 2 | multicloud-operators-subscription | Not affected | ||
| Red Hat Advanced Cluster Management for Kubernetes 2 | multicloud-operators-subscription-release | Not affected | ||
| Red Hat Advanced Cluster Management for Kubernetes 2 | rhacm2/clusterlifecycle-state-metrics-rhel8 | Not affected | ||
| Red Hat Advanced Cluster Management for Kubernetes 2 | rhacm2/openshift-hive-rhel8 | Fix deferred | ||
| Red Hat OpenShift Container Platform 4 | buildah | Will not fix | ||
| Red Hat OpenShift Container Platform 4 | cri-o | Not affected |
Показывать по
Дополнительная информация
Статус:
EPSS
7.5 High
CVSS3
Связанные уязвимости
xz is a compression and decompression library focusing on the xz format completely written in Go. The function readUvarint used to read the xz container format may not terminate a loop provide malicous input. The problem has been fixed in release v0.5.8. As a workaround users can limit the size of the compressed file input to a reasonable size for their use case. The standard library had recently the same issue and got the CVE-2020-16845 allocated.
xz is a compression and decompression library focusing on the xz format completely written in Go. The function readUvarint used to read the xz container format may not terminate a loop provide malicous input. The problem has been fixed in release v0.5.8. As a workaround users can limit the size of the compressed file input to a reasonable size for their use case. The standard library had recently the same issue and got the CVE-2020-16845 allocated.
xz is a compression and decompression library focusing on the xz forma ...
github.com/ulikunitz/xz fixes readUvarint Denial of Service (DoS)
EPSS
7.5 High
CVSS3