Описание
An issue was discovered in GoGo Protobuf before 1.3.2. plugin/unmarshal/unmarshal.go lacks certain index validation, aka the "skippy peanut butter" issue.
A flaw was found in github.com/gogo/protobuf before 1.3.2 that allows an out-of-bounds access when unmarshalling certain protobuf objects. This flaw allows a remote attacker to send crafted protobuf messages, causing panic and resulting in a denial of service. The highest threat from this vulnerability is to availability.
Отчет
OpenShift Container Platform (OCP), OpenShift ServiceMesh (OSSM) and Red Hat OpenShift Jaeger (RHOSJ) all include code generated by github.com/gogo/protobuf to parse protobuf messages. However, no component is known to accept protobuf messages from unauthenticated sources, hence this vulnerability is rated Moderate for OCP, OSSM and RHOSJ. OpenShift Virtualization includes code generated by github.com/gogo/protobuf to parse protobuf messages. However, no component of OpenShift Virtualization is known to accept protobuf messages from unauthenticated sources, hence this vulnerability is rated Moderate. Red Hat Advanced Cluster Management for Kubernetes (RHACM) includes code generated by github.com/gogo/protobuf to parse protobuf messages. However, no RHACM component is accepting protobuf messages from unauthenticated sources and are used with a limited scope, hence this vulnerability is rated Moderate for RHACM. Red Hat Cluster Application Migration (CAM) includes code generated by github.com/gogo/protobuf to parse protobuf messages. However, no CAM component is known to accept protobuf messages from unauthenticated sources, hence this vulnerability is rated Moderate for CAM. Cryostat-2 is affected as it does ship gogo/protobuf library with it's distribution but the only use for Protobuf would be the Kubernetes/OpenShift API server the operator communicates with and it should be authenticated hence it is affected with Moderate impact.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Distributed Tracing Jaeger 1 | distributed-tracing/jaeger-agent-rhel8 | Not affected | ||
| Distributed Tracing Jaeger 1 | distributed-tracing/jaeger-all-in-one-rhel8 | Not affected | ||
| Distributed Tracing Jaeger 1 | distributed-tracing/jaeger-collector-rhel8 | Not affected | ||
| Distributed Tracing Jaeger 1 | distributed-tracing/jaeger-ingester-rhel8 | Not affected | ||
| Distributed Tracing Jaeger 1 | distributed-tracing/jaeger-query-rhel8 | Not affected | ||
| Distributed Tracing Jaeger 1 | distributed-tracing/jaeger-rhel8-operator | Not affected | ||
| OpenShift Service Mesh 2.0 | servicemesh | Affected | ||
| OpenShift Service Mesh 2.0 | servicemesh-cni | Affected | ||
| OpenShift Service Mesh 2.0 | servicemesh-grafana | Affected | ||
| OpenShift Service Mesh 2.0 | servicemesh-operator | Affected |
Показывать по
Дополнительная информация
Статус:
EPSS
8.6 High
CVSS3
Связанные уязвимости
An issue was discovered in GoGo Protobuf before 1.3.2. plugin/unmarshal/unmarshal.go lacks certain index validation, aka the "skippy peanut butter" issue.
An issue was discovered in GoGo Protobuf before 1.3.2. plugin/unmarshal/unmarshal.go lacks certain index validation, aka the "skippy peanut butter" issue.
An issue was discovered in GoGo Protobuf before 1.3.2. plugin/unmarsha ...
EPSS
8.6 High
CVSS3