Описание
Reader.Read does not set a limit on the maximum size of file headers. A maliciously crafted archive could cause Read to allocate unbounded amounts of memory, potentially causing resource exhaustion or panics. After fix, Reader.Read limits the maximum size of header blocks to 1 MiB.
A flaw was found in the golang package, where Reader.Read does not set a limit on the maximum size of file headers. After fixing, Reader.Read limits the maximum size of header blocks to 1 MiB. This flaw allows a maliciously crafted archive to cause Read to allocate unbounded amounts of memory, potentially causing resource exhaustion or panic.
Отчет
The opportunity for a Denial of Service is limited to the golang runtime. In the case of OpenShift Container Platform, this would be restricted within each individual container. There are multiple layers of guide rails (Golang’s Garbage Collector; OpenShift’s resource constraints imposed at the container and cluster levels) which would require a malicious user to continue submitting attacks for there to be any enduring impact. They would also need access to external server resources to be able to send a massive volume of requests to cause a significant impact on server operations. This flaw additionally affects the github.com/vbatts/tar-split library and was fixed in v0.12.1.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| OpenShift Developer Tools and Services | helm | Fix deferred | ||
| OpenShift Developer Tools and Services | odo | Affected | ||
| Red Hat Advanced Cluster Management for Kubernetes 2 | rhacm2/prometheus-rhel8 | Affected | ||
| Red Hat Advanced Cluster Security 3 | advanced-cluster-security/rhacs-main-rhel8 | Affected | ||
| Red Hat AMQ Broker 7 | amq-broker-rhel8-operator-container | Affected | ||
| Red Hat Ansible Automation Platform 2 | openshift-clients | Affected | ||
| Red Hat Application Interconnect 1.0 | skupper-cli | Affected | ||
| Red Hat Ceph Storage 3 | golang | Out of support scope | ||
| Red Hat Enterprise Linux 8 | container-tools:3.0/buildah | Will not fix | ||
| Red Hat Enterprise Linux 8 | container-tools:3.0/podman | Affected |
Показывать по
Дополнительная информация
Статус:
EPSS
6.5 Medium
CVSS3
Связанные уязвимости
Reader.Read does not set a limit on the maximum size of file headers. A maliciously crafted archive could cause Read to allocate unbounded amounts of memory, potentially causing resource exhaustion or panics. After fix, Reader.Read limits the maximum size of header blocks to 1 MiB.
Reader.Read does not set a limit on the maximum size of file headers. A maliciously crafted archive could cause Read to allocate unbounded amounts of memory, potentially causing resource exhaustion or panics. After fix, Reader.Read limits the maximum size of header blocks to 1 MiB.
Reader.Read does not set a limit on the maximum size of file headers. ...
Reader.Read does not set a limit on the maximum size of file headers. A maliciously crafted archive could cause Read to allocate unbounded amounts of memory, potentially causing resource exhaustion or panics. After fix, Reader.Read limits the maximum size of header blocks to 1 MiB.
EPSS
6.5 Medium
CVSS3