Vulnerability Name:

CVE-2022-27664 (CCN-235355)

Assigned:2022-09-06
Published:2022-09-06
Updated:2022-10-28
Summary:In net/http in Go before 1.18.6 and 1.19.x before 1.19.1, attackers can cause a denial of service because an HTTP/2 connection can hang during closing if shutdown were preempted by a fatal error.
CVSS v3 Severity:7.5 High (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
6.5 Medium (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): None
Integrity (I): None
Availibility (A): High
7.5 High (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
6.5 Medium (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): None
Integrity (I): None
Availibility (A): High
6.5 Medium (REDHAT CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)
5.7 Medium (REDHAT Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): Low
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): None
Integrity (I): None
Availibility (A): High
CVSS v2 Severity:7.8 High (CCN CVSS v2 Vector: AV:N/AC:L/Au:N/C:N/I:N/A:C)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Athentication (Au): None
Impact Metrics:Confidentiality (C): None
Integrity (I): None
Availibility (A): Complete
Vulnerability Type:CWE-noinfo
CWE-400
Vulnerability Consequences:Denial of Service
References:Source: MITRE
Type: CNA
CVE-2022-27664

Source: XF
Type: UNKNOWN
golang-cve202227664-dos(235355)

Source: CCN
Type: Go Web site
Golang Go

Source: MISC
Type: Mailing List, Third Party Advisory
https://groups.google.com/g/golang-announce

Source: CCN
Type: Google Groups Web site
[security] Go 1.19.1 and Go 1.18.6 are released

Source: CONFIRM
Type: Mailing List, Release Notes, Third Party Advisory
https://groups.google.com/g/golang-announce/c/x49AQzIVX-s

Source: FEDORA
Type: Mailing List, Third Party Advisory
FEDORA-2022-45097317b4

Source: FEDORA
Type: Mailing List, Third Party Advisory
FEDORA-2022-67ec8c61d0

Source: GENTOO
Type: Third Party Advisory
GLSA-202209-26

Source: CONFIRM
Type: Third Party Advisory
https://security.netapp.com/advisory/ntap-20220923-0004/

Source: CCN
Type: IBM Security Bulletin 6830273 (Cloud Pak for Integration)
Operations Dashboard is vulnerable to Golang Go vulnerabilities (CVE-2022-27664 and CVE-2022-32190)

Source: CCN
Type: IBM Security Bulletin 6833494 (Cloud Pak for Integration)
Platform Navigator and Automation Assets in IBM Cloud Pak for Integration are vulnerable to denial of service due to Go CVE-2022-27664

Source: CCN
Type: IBM Security Bulletin 6838883 (Spectrum Protect Plus)
Vulnerabilities in Golang Go affect IBM Spectrum Protect Plus Container Backup and Restore for Kubernetes and Red Hat OpenShift

Source: CCN
Type: IBM Security Bulletin 6843071 (Db2 on Cloud Pak for Data)
Multiple vulnerabilities affect IBM Db2 on Cloud Pak for Data and Db2 Warehouse on Cloud Pak for Data

Source: CCN
Type: IBM Security Bulletin 6844863 (Event Streams)
Vulnerability in Golang Go affects IBM Event Streams (CVE-2022-27664)

Source: CCN
Type: IBM Security Bulletin 6845942 (Spectrum Copy Data Management)
Vulnerabilities in Golang Go and Linux Kernel may affect IBM Spectrum Copy Data Management

Source: CCN
Type: IBM Security Bulletin 6847643 (Spectrum Protect Plus)
Vulnerabilities in Linux Kernel, Golang Go, and cURL libcurl may affect IBM Spectrum Protect Plus

Source: CCN
Type: IBM Security Bulletin 6847653 (Spectrum Protect)
Vulnerabilities in zlib and Golang Go may affect the IBM Spectrum Protect Server (CVE-2018-25032, CVE-2022-27664)

Source: CCN
Type: IBM Security Bulletin 6852653 (Robotic Process Automation for Cloud Pak)
A vulnerability in Golang Go may affect IBM Robotic Process Automation for Cloud Pak and result in a denial of service (CVE-2022-27664)

Source: CCN
Type: IBM Security Bulletin 6857305 (Workload Scheduler)
IBM Workload Scheduler potentially affected by vulnerability CVE-2022-27664

Source: CCN
Type: IBM Security Bulletin 6858011 (App Connect Enterprise Certified Container)
IBM App Connect Enterprise Certified Container operator and operands may be vulnerable to denial of service due to [CVE-2022-27664]

Source: CCN
Type: IBM Security Bulletin 6890843 (Watson Speech Services Cartridge for Cloud Pak for Data)
IBM Watson Speech Services Cartridge for IBM Cloud Pak for Data is vulnerable to a denial of service in Golang Go (CVE-2022-27664)

Source: CCN
Type: IBM Security Bulletin 6955849 (Decision Optimization for Cloud Pak for Data)
Multiple vulnerabilities in Golang Go affect IBM Decision Optimization in IBM Cloud Pak for Data

Source: CCN
Type: IBM Security Bulletin 6955929 (Watson Discovery)
IBM Watson Discovery Cartridge for IBM Cloud Pak for Data affected by vulnerability in Golang Go

Source: CCN
Type: IBM Security Bulletin 6956311 (Cloud Pak for Multicloud Management)
Multiple Vulnerabilities in Multicloud Management Security Services

Source: CCN
Type: IBM Security Bulletin 6958068 (CICS TX Standard)
Multiple vulnerabilities in Go may affect IBM CICS TX Standard

Source: CCN
Type: IBM Security Bulletin 6965816 (Spectrum Protect Plus)
Vulnerabilities in Node.js, libcurl, Golang Go, Jetty, Guava, Netty, OpenSSL, Linux kernel may affect IBM Spectrum Protect Plus

Source: CCN
Type: IBM Security Bulletin 6966300 (Cloud Pak System Software Suite)
IBM Cloud Pak System is vulnerable to multiple vulnerabilities in Golang Go

Source: CCN
Type: IBM Security Bulletin 6966998 (WebSphere Automation)
Multiple vulnerabilities in the mongo-tools utility affect IBM WebSphere Automation

Source: CCN
Type: IBM Security Bulletin 6967018 (CICS TX Standard)
CVE-2022-27664, CVE-2022-21698, CVE-2021-43565 and CVE-2022-27191 may affect IBM CICS TX Standard

Source: CCN
Type: IBM Security Bulletin 6967291 (Robotic Process Automation for Cloud Pak)
Multiple Security Vulnerabilities may affect IBM Robotic Process Automation for Cloud Pak.

Source: CCN
Type: IBM Security Bulletin 6982919 (Sterling Order Management)
Golang Go vulnerability

Source: CCN
Type: IBM Security Bulletin 6982921 (Sterling Order Management)
Golang Go vulnerability

Source: CCN
Type: IBM Security Bulletin 6984413 (Db2 Rest)
Multiple vulnerabilities affect IBM Db2 REST

Source: CCN
Type: IBM Security Bulletin 6991553 (Edge Application Manager)
Open Source Dependency Vulnerability

Source: CCN
Type: IBM Security Bulletin 7004655 (Cloud Pak for Security)
IBM Cloud Pak for Security includes components with multiple known vulnerabilities

Source: CCN
Type: IBM Security Bulletin 7005485 (Cloud Pak for Network Automation)
Cloud Pak for Network Automation 2.5.0 fixes multiple security vulnerabilities

Source: CCN
Type: IBM Security Bulletin 7009921 (Watson Assistant for Cloud Pak for Data)
IBM Watson Assistant for IBM Cloud Pak for Data is affected by multiple vulnerabilities in Golang Go

Source: CCN
Type: IBM Security Bulletin 7012675 (Netcool Operations Insight)
Netcool Operations Insights 1.6.9 addresses multiple security vulnerabilities.

Source: CCN
Type: IBM Security Bulletin 7014659 (Cloud Transformation Advisor)
IBM Cloud Transformation Advisor is vulnerable to multiple vulnerabilities

Source: CCN
Type: IBM Security Bulletin 7016688 (MQ Operator)
IBM MQ Operator and Queue manager container images are vulnerable to multiple vulnerabilities from openssl-libs, libssh, libarchive, sqlite and go-toolset

Vulnerable Configuration:Configuration 1:
  • cpe:/a:golang:go:1.19.0:*:*:*:*:*:*:*
  • OR cpe:/a:golang:go:*:*:*:*:*:*:*:* (Version < 1.18.6)

    • Configuration 2:
  • cpe:/o:fedoraproject:fedora:36:*:*:*:*:*:*:*
  • OR cpe:/o:fedoraproject:fedora:37:*:*:*:*:*:*:*

    • Configuration RedHat 1:
  • cpe:/a:redhat:enterprise_linux:8:*:*:*:*:*:*:*

    • Configuration RedHat 2:
  • cpe:/a:redhat:enterprise_linux:8::appstream:*:*:*:*:*

    • Configuration CCN 1:
  • cpe:/a:golang:go:1.18.5:*:*:*:*:*:*:*
  • OR cpe:/a:golang:go:1.19.0:*:*:*:*:*:*:*
  • AND
  • cpe:/a:ibm:spectrum_protect_plus:10.1.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:cloud_transformation_advisor:2.0.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:spectrum_protect_plus:10.1.5:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:event_streams:10.0.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:event_streams:10.1.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:spectrum_protect_plus:10.1.7:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:workload_scheduler:9.5:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:spectrum_protect:8.1.0.000:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:event_streams:10.2.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:event_streams:10.3.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:event_streams:10.3.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:app_connect_enterprise_certified_container:4.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:cics_tx:11.1:*:*:*:standard:*:*:*
  • OR cpe:/a:ibm:app_connect_enterprise_certified_container:4.2:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:robotic_process_automation_for_cloud_pak:21.0.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:cloud_pak_for_security:1.10.0.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:app_connect_enterprise_certified_container:5.0:*:*:*:lts:*:*:*
  • OR cpe:/a:ibm:app_connect_enterprise_certified_container:5.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:app_connect_enterprise_certified_container:5.2:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:app_connect_enterprise_certified_container:6.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:app_connect_enterprise_certified_container:6.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:robotic_process_automation_for_cloud_pak:21.0.5:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:app_connect_enterprise_certified_container:6.2:*:*:*:*:*:*:*

    • * Denotes that component is vulnerable
    Oval Definitions
    Definition IDClassTitleLast Modified
    oval:org.opensuse.security:def:8169
    P
    		Security update for SUSE Manager Client Tools (Important)
    2023-06-21
    oval:org.opensuse.security:def:8013
    P
    		go1.19-1.19.9-150000.1.31.1 on GA media (Moderate)
    2023-06-20
    oval:org.opensuse.security:def:7859
    P
    		kubernetes1.24-client-1.24.13-150500.1.3 on GA media (Moderate)
    2023-06-12
    oval:org.opensuse.security:def:7513
    P
    		golang-github-prometheus-node_exporter-1.5.0-150100.3.23.2 on GA media (Moderate)
    2023-06-12
    oval:com.redhat.rhsa:def:20227129
    P
    		RHSA-2022:7129: git-lfs security and bug fix update (Moderate)
    2022-10-25
    oval:org.opensuse.security:def:770
    P
    		Security update for go1.18 (Important)
    2022-09-21
    oval:org.opensuse.security:def:771
    P
    		Security update for go1.19 (Important)
    2022-09-21
    BACK
    golang go 1.19.0
    golang go *
    fedoraproject fedora 36
    fedoraproject fedora 37
    golang go 1.18.5
    golang go 1.19.0
    ibm spectrum protect plus 10.1.0
    ibm cloud transformation advisor 2.0.1
    ibm spectrum protect plus 10.1.5
    ibm event streams 10.0.0
    ibm event streams 10.1.0
    ibm spectrum protect plus 10.1.7
    ibm workload scheduler 9.5
    ibm spectrum protect 8.1.0.000
    ibm event streams 10.2.0
    ibm event streams 10.3.0
    ibm event streams 10.3.1
    ibm app connect enterprise certified container 4.1
    ibm cics tx 11.1
    ibm app connect enterprise certified container 4.2
    ibm robotic process automation for cloud pak 21.0.1
    ibm cloud pak for security 1.10.0.0
    ibm app connect enterprise certified container 5.0
    ibm app connect enterprise certified container 5.1
    ibm app connect enterprise certified container 5.2
    ibm app connect enterprise certified container 6.0
    ibm app connect enterprise certified container 6.1
    ibm robotic process automation for cloud pak 21.0.5
    ibm app connect enterprise certified container 6.2