Описание
Uncontrolled recursion in Decoder.Decode in encoding/gob before Go 1.17.12 and Go 1.18.4 allows an attacker to cause a panic due to stack exhaustion via a message which contains deeply nested structures.
A flaw was found in golang. When calling Decoder, Decode on a message that contains deeply nested structures, a panic can occur due to stack exhaustion and allows an attacker to impact system availability.
Отчет
OpenShift Container Platform (OCP) starting from 4.10 stream is already compiled in the patched version of Go, hence is not affected by this vulnerability.The vulnerability has been rated as moderate instead of high because the vulnerability can only result in a minor denial of service. Within regulated environments, a combination of the following controls acts as a significant barrier to successfully exploiting a CWE-1325: Improperly Controlled Sequential Memory Allocation vulnerability and therefore downgrades the severity of this particular CVE from Moderate to Low. Access to the platform is granted only after successful hard token-based multi-factor authentication (MFA) and is governed by least privilege to ensure only authorized users and roles can execute or modify code. Static code analysis and peer reviews enforce strong input validation and error handling, preventing improperly validated inputs from causing system instability, data exposure, or privilege escalation. In the event of successful exploitation, process isolation limits the impact of excessive sequential memory allocation by restricting memory use per process, preventing any single process from exhausting system resources. Finally, the platform uses memory protection mechanisms such as Data Execution Prevention (DEP) and Address Space Layout Randomization (ASLR) to reduce the risk of memory allocation-based attacks.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Migration Toolkit for Virtualization | migration-toolkit-virtualization/mtv-controller-rhel9 | Affected | ||
| OpenShift Developer Tools and Services | odo | Affected | ||
| OpenShift Pipelines | openshift-pipelines-client | Affected | ||
| Red Hat Advanced Cluster Management for Kubernetes 2 | rhacm2/gatekeeper-rhel8-operator | Affected | ||
| Red Hat Advanced Cluster Management for Kubernetes 2 | rhacm2/subctl-rhel9 | Affected | ||
| Red Hat Advanced Cluster Management for Kubernetes 2 | rhacm2/work-rhel8 | Affected | ||
| Red Hat Advanced Cluster Management for Kubernetes 2 | volsync-container | Affected | ||
| Red Hat Advanced Cluster Security 3 | advanced-cluster-security/rhacs-main-rhel8 | Affected | ||
| Red Hat Ansible Automation Platform 2 | openshift-clients | Affected | ||
| Red Hat Ceph Storage 3 | golang | Out of support scope |
Показывать по
Дополнительная информация
Статус:
EPSS
7.5 High
CVSS3
Связанные уязвимости
Uncontrolled recursion in Decoder.Decode in encoding/gob before Go 1.17.12 and Go 1.18.4 allows an attacker to cause a panic due to stack exhaustion via a message which contains deeply nested structures.
Uncontrolled recursion in Decoder.Decode in encoding/gob before Go 1.17.12 and Go 1.18.4 allows an attacker to cause a panic due to stack exhaustion via a message which contains deeply nested structures.
Uncontrolled recursion in Decoder.Decode in encoding/gob before Go 1.1 ...
Uncontrolled recursion in Decoder.Decode in encoding/gob before Go 1.17.12 and Go 1.18.4 allows an attacker to cause a panic due to stack exhaustion via a message which contains deeply nested structures.
EPSS
7.5 High
CVSS3