Vulnerability CVE-2022-1962

Vulnerability Name:

CVE-2022-1962 (CCN-232543)

Assigned:

2022-06-30

Published:

2022-06-30

Updated:

2023-03-01

Summary:

Uncontrolled recursion in the Parse functions in go/parser before Go 1.17.12 and Go 1.18.4 allow an attacker to cause a panic due to stack exhaustion via deeply nested types or declarations.

CVSS v3 Severity:

5.5 Medium (CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)
4.8 Medium (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C)

Exploitability Metrics:	Attack Vector (AV): Local Attack Complexity (AC): Low Privileges Required (PR): Low User Interaction (UI): None
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): None Integrity (I): None Availibility (A): High

6.2 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
5.4 Medium (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C)

Exploitability Metrics:	Attack Vector (AV): Local Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): None
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): None Integrity (I): None Availibility (A): High

5.5 Medium (REDHAT CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)
4.8 Medium (REDHAT Temporal CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C)

Exploitability Metrics:	Attack Vector (AV): Local Attack Complexity (AC): Low Privileges Required (PR): Low User Interaction (UI): None
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): None Integrity (I): None Availibility (A): High

CVSS v2 Severity:

4.9 Medium (CCN CVSS v2 Vector: AV:L/AC:L/Au:N/C:N/I:N/A:C)

Exploitability Metrics:	Access Vector (AV): Local Access Complexity (AC): Low Athentication (Au): None
Impact Metrics:	Confidentiality (C): None Integrity (I): None Availibility (A): Complete

Vulnerability Type:

CWE-1325

Vulnerability Consequences:

Denial of Service

References:

Source: MITRE
Type: CNA
CVE-2022-1962

Source: XF
Type: UNKNOWN
golang-cve20221962-dos(232543)

Source: CCN
Type: Go GIT Repository
go/parser: stack exhaustion in all Parse* functions #53616

Source: security@golang.org
Type: Patch, Vendor Advisory
security@golang.org

Source: security@golang.org
Type: Exploit, Issue Tracking, Patch, Vendor Advisory
security@golang.org

Source: security@golang.org
Type: Patch, Vendor Advisory
security@golang.org

Source: security@golang.org
Type: Release Notes, Vendor Advisory
security@golang.org

Source: security@golang.org
Type: Vendor Advisory
security@golang.org

Source: CCN
Type: IBM Security Bulletin 6616631 (MQ Operator)
BM MQ Operator and Queue manager container images are vulnerable to multiple vulnerabilities from openssl, pcre2 and Golang Go

Source: CCN
Type: IBM Security Bulletin 6621597 (Cloud Pak for Integration)
Operations Dashboard is vulnerable to multiple Golang Go vulnerabilities

Source: CCN
Type: IBM Security Bulletin 6825557 (Event Streams)
Multiple vulnerabilities in Golang Go affect IBM Event Streams

Source: CCN
Type: IBM Security Bulletin 6827815 (Cloud Pak for Integration)
Platform Navigator and Automation Assets in IBM Cloud Pak for Integration are vulnerable to multiple Go vulnerabilities

Source: CCN
Type: IBM Security Bulletin 6831591 (Robotic Process Automation)
Multiple Security Vulnerabilities may affect IBM Robotic Process Automation for Cloud Pak

Source: CCN
Type: IBM Security Bulletin 6837277 (App Connect Enterprise Certified Container)
IBM App Connect Enterprise Certified Container operator and IntegrationServer operands may be vulnerable to denial of service due to CVE-2022-1962

Source: CCN
Type: IBM Security Bulletin 6838883 (Spectrum Protect Plus)
Vulnerabilities in Golang Go affect IBM Spectrum Protect Plus Container Backup and Restore for Kubernetes and Red Hat OpenShift

Source: CCN
Type: IBM Security Bulletin 6855105 (Watson Discovery)
IBM Watson Discovery Cartridge for IBM Cloud Pak for Data affected by vulnerability in Go

Source: CCN
Type: IBM Security Bulletin 6909423 (Cloud Pak for Multicloud Management Monitoring)
IBM Cloud Pak for Multicloud Management Monitoring has applied security fixes for its use of Golang Go

Source: CCN
Type: IBM Security Bulletin 6956311 (Cloud Pak for Multicloud Management)
Multiple Vulnerabilities in Multicloud Management Security Services

Source: CCN
Type: IBM Security Bulletin 6958068 (CICS TX Standard)
Multiple vulnerabilities in Go may affect IBM CICS TX Standard

Source: CCN
Type: IBM Security Bulletin 6966300 (Cloud Pak System Software Suite)
IBM Cloud Pak System is vulnerable to multiple vulnerabilities in Golang Go

Source: CCN
Type: IBM Security Bulletin 6966998 (WebSphere Automation)
Multiple vulnerabilities in the mongo-tools utility affect IBM WebSphere Automation

Source: CCN
Type: Mend Vulnerability Database
CVE-2022-1962

Vulnerable Configuration:

Configuration RedHat 1:

cpe:/a:redhat:enterprise_linux:8:*:*:*:*:*:*:*

Configuration RedHat 2:

cpe:/a:redhat:enterprise_linux:8::appstream:*:*:*:*:*

Configuration RedHat 3:

cpe:/a:redhat:enterprise_linux:9:*:*:*:*:*:*:*

Configuration RedHat 4:

cpe:/a:redhat:enterprise_linux:9::appstream:*:*:*:*:*

Configuration CCN 1:

cpe:/a:golang:go:1.17.0:*:*:*:*:*:*:*

OR cpe:/a:golang:go:1.18.0:-:*:*:*:*:*:*

AND

cpe:/a:ibm:spectrum_protect_plus:10.1.5:*:*:*:*:*:*:*

OR cpe:/a:ibm:event_streams:10.0.0:*:*:*:*:*:*:*

OR cpe:/a:ibm:event_streams:10.1.0:*:*:*:*:*:*:*

OR cpe:/a:ibm:spectrum_protect_plus:10.1.7:*:*:*:*:*:*:*

OR cpe:/a:ibm:event_streams:10.2.0:*:*:*:*:*:*:*

OR cpe:/a:ibm:event_streams:10.3.0:*:*:*:*:*:*:*

OR cpe:/a:ibm:event_streams:10.3.1:*:*:*:*:*:*:*

OR cpe:/a:ibm:robotic_process_automation:21.0.1:*:*:*:*:*:*:*

OR cpe:/a:ibm:robotic_process_automation:21.0.2:*:*:*:*:*:*:*

OR cpe:/a:ibm:app_connect_enterprise_certified_container:4.1:*:*:*:*:*:*:*

OR cpe:/a:ibm:cics_tx:11.1:*:*:*:standard:*:*:*

OR cpe:/a:ibm:app_connect_enterprise_certified_container:4.2:*:*:*:*:*:*:*

OR cpe:/a:ibm:robotic_process_automation:21.0.3:*:*:*:*:*:*:*

OR cpe:/a:ibm:robotic_process_automation:21.0.4:*:*:*:*:*:*:*

OR cpe:/a:ibm:app_connect_enterprise_certified_container:5.0:*:*:*:lts:*:*:*

OR cpe:/a:ibm:app_connect_enterprise_certified_container:5.1:*:*:*:*:*:*:*

OR cpe:/a:ibm:app_connect_enterprise_certified_container:5.2:*:*:*:*:*:*:*

Denotes that component is vulnerable

Oval Definitions

Definition ID	Class	Title	Last Modified
oval:com.redhat.rhsa:def:20228057	P	RHSA-2022:8057: grafana security, bug fix, and enhancement update (Important)	2022-11-15
oval:com.redhat.rhsa:def:20227529	P	RHSA-2022:7529: container-tools:3.0 security update (Moderate)	2022-11-08
oval:com.redhat.rhsa:def:20227519	P	RHSA-2022:7519: grafana security, bug fix, and enhancement update (Moderate)	2022-11-08
oval:org.opensuse.security:def:118980	P	Security update for go1.17 (Important)	2022-08-04
oval:org.opensuse.security:def:676	P	Security update for go1.17 (Important)	2022-08-04
oval:org.opensuse.security:def:95341	P	Security update for go1.17 (Important)	2022-08-04
oval:org.opensuse.security:def:119285	P	Security update for go1.17 (Important)	2022-08-04
oval:org.opensuse.security:def:677	P	Security update for go1.18 (Important)	2022-08-04
oval:org.opensuse.security:def:95342	P	Security update for go1.18 (Important)	2022-08-04
oval:org.opensuse.security:def:119466	P	Security update for go1.17 (Important)	2022-08-04
oval:org.opensuse.security:def:3711	P	Security update for go1.17 (Important)	2022-08-04
oval:org.opensuse.security:def:118790	P	Security update for go1.17 (Important)	2022-08-04
oval:org.opensuse.security:def:119651	P	Security update for go1.17 (Important)	2022-08-04
oval:org.opensuse.security:def:3712	P	Security update for go1.18 (Important)	2022-08-04
oval:com.redhat.rhsa:def:20225775	P	RHSA-2022:5775: go-toolset:rhel8 security and bug fix update (Important)	2022-08-01
oval:com.redhat.rhsa:def:20225799	P	RHSA-2022:5799: go-toolset and golang security and bug fix update (Important)	2022-08-01

BACK