Vulnerability Name:

CVE-2022-28131 (CCN-233141)

Assigned:2022-06-29
Published:2022-06-29
Updated:2023-02-28
Summary:Uncontrolled recursion in Decoder.Skip in encoding/xml before Go 1.17.12 and Go 1.18.4 allows an attacker to cause a panic due to stack exhaustion via a deeply nested XML document.
CVSS v3 Severity:7.5 High (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
6.5 Medium (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): None
Integrity (I): None
Availibility (A): High
7.5 High (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
6.5 Medium (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): None
Integrity (I): None
Availibility (A): High
7.3 High (REDHAT CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H)
6.4 Medium (REDHAT Temporal CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Local
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): Low
Integrity (I): Low
Availibility (A): High
CVSS v2 Severity:7.8 High (CCN CVSS v2 Vector: AV:N/AC:L/Au:N/C:N/I:N/A:C)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Athentication (Au): None
Impact Metrics:Confidentiality (C): None
Integrity (I): None
Availibility (A): Complete
Vulnerability Type:CWE-1325
Vulnerability Consequences:Denial of Service
References:Source: MITRE
Type: CNA
CVE-2022-28131

Source: XF
Type: UNKNOWN
golang-cve202228131-dos(233141)

Source: CCN
Type: Go GIT Repository
encoding/xml: stack exhaustion in Decoder.Skip #53614

Source: cve@mitre.org
Type: Patch, Vendor Advisory
cve@mitre.org

Source: cve@mitre.org
Type: Patch, Vendor Advisory
cve@mitre.org

Source: cve@mitre.org
Type: Mailing List, Patch
cve@mitre.org

Source: cve@mitre.org
Type: Mailing List, Release Notes, Vendor Advisory
cve@mitre.org

Source: cve@mitre.org
Type: Patch, Vendor Advisory
cve@mitre.org

Source: CCN
Type: IBM Security Bulletin 6621597 (Cloud Pak for Integration)
Operations Dashboard is vulnerable to multiple Golang Go vulnerabilities

Source: CCN
Type: IBM Security Bulletin 6824759 (MQ Operator)
IBM MQ Operator and Queue manager container images are vulnerable to multiple vulnerabilities from curl, systemd, and Golang Go

Source: CCN
Type: IBM Security Bulletin 6825557 (Event Streams)
Multiple vulnerabilities in Golang Go affect IBM Event Streams

Source: CCN
Type: IBM Security Bulletin 6827815 (Cloud Pak for Integration)
Platform Navigator and Automation Assets in IBM Cloud Pak for Integration are vulnerable to multiple Go vulnerabilities

Source: CCN
Type: IBM Security Bulletin 6831591 (Robotic Process Automation)
Multiple Security Vulnerabilities may affect IBM Robotic Process Automation for Cloud Pak

Source: CCN
Type: IBM Security Bulletin 6837259 (App Connect Enterprise Certified Container)
IBM App Connect Enterprise Certified Container operator and IntegrationServer operands may be vulnerable to denial of service due to CVE-2022-28131

Source: CCN
Type: IBM Security Bulletin 6838883 (Spectrum Protect Plus)
Vulnerabilities in Golang Go affect IBM Spectrum Protect Plus Container Backup and Restore for Kubernetes and Red Hat OpenShift

Source: CCN
Type: IBM Security Bulletin 6843071 (Db2 on Cloud Pak for Data)
Multiple vulnerabilities affect IBM Db2 on Cloud Pak for Data and Db2 Warehouse on Cloud Pak for Data

Source: CCN
Type: IBM Security Bulletin 6845942 (Spectrum Copy Data Management)
Vulnerabilities in Golang Go and Linux Kernel may affect IBM Spectrum Copy Data Management

Source: CCN
Type: IBM Security Bulletin 6855105 (Watson Discovery)
IBM Watson Discovery Cartridge for IBM Cloud Pak for Data affected by vulnerability in Go

Source: CCN
Type: IBM Security Bulletin 6909423 (Cloud Pak for Multicloud Management Monitoring)
IBM Cloud Pak for Multicloud Management Monitoring has applied security fixes for its use of Golang Go

Source: CCN
Type: IBM Security Bulletin 6958062 (Cloud Pak for Business Automation)
Security vulnerabilities are addressed with IBM Cloud Pak for Business Automation iFixes for Febuary 2023

Source: CCN
Type: IBM Security Bulletin 6958068 (CICS TX Standard)
Multiple vulnerabilities in Go may affect IBM CICS TX Standard

Source: CCN
Type: IBM Security Bulletin 6966300 (Cloud Pak System Software Suite)
IBM Cloud Pak System is vulnerable to multiple vulnerabilities in Golang Go

Source: CCN
Type: IBM Security Bulletin 6966998 (WebSphere Automation)
Multiple vulnerabilities in the mongo-tools utility affect IBM WebSphere Automation

Source: CCN
Type: IBM Security Bulletin 6991617 (Edge Application Manager)
Open Source Dependency Vulnerability

Vulnerable Configuration:Configuration RedHat 1:
  • cpe:/a:redhat:enterprise_linux:8:*:*:*:*:*:*:*
    • Configuration RedHat 2:
  • cpe:/a:redhat:enterprise_linux:8::appstream:*:*:*:*:*
    • Configuration RedHat 3:
  • cpe:/a:redhat:enterprise_linux:9:*:*:*:*:*:*:*
    • Configuration RedHat 4:
  • cpe:/a:redhat:enterprise_linux:9::appstream:*:*:*:*:*

    • Configuration CCN 1:
  • cpe:/a:golang:go:1.17.11:*:*:*:*:*:*:*
  • OR cpe:/a:golang:go:1.18.3:*:*:*:*:*:*:*
  • AND
  • cpe:/a:ibm:spectrum_protect_plus:10.1.5:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:event_streams:10.0.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:event_streams:10.1.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:spectrum_protect_plus:10.1.7:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:event_streams:10.2.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:event_streams:10.3.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:event_streams:10.3.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:cloud_pak_for_business_automation:18.0.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:cloud_pak_for_business_automation:18.0.2:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:cloud_pak_for_business_automation:19.0.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:cloud_pak_for_business_automation:19.0.3:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:cloud_pak_for_business_automation:20.0.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:cloud_pak_for_business_automation:20.0.3:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:cloud_pak_for_business_automation:21.0.1:-:*:*:*:*:*:*
  • OR cpe:/a:ibm:cloud_pak_for_business_automation:21.0.2:-:*:*:*:*:*:*
  • OR cpe:/a:ibm:cloud_pak_for_business_automation:21.0.3:-:*:*:*:*:*:*
  • OR cpe:/a:ibm:robotic_process_automation:21.0.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:robotic_process_automation:21.0.2:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:app_connect_enterprise_certified_container:4.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:cics_tx:11.1:*:*:*:standard:*:*:*
  • OR cpe:/a:ibm:app_connect_enterprise_certified_container:4.2:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:robotic_process_automation:21.0.3:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:robotic_process_automation:21.0.4:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:cloud_pak_for_business_automation:22.0.1:-:*:*:*:*:*:*
  • OR cpe:/a:ibm:app_connect_enterprise_certified_container:5.0:*:*:*:lts:*:*:*
  • OR cpe:/a:ibm:app_connect_enterprise_certified_container:5.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:app_connect_enterprise_certified_container:5.2:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:cloud_pak_for_business_automation:22.0.2:-:*:*:*:*:*:*

    • * Denotes that component is vulnerable
    Oval Definitions
    Definition IDClassTitleLast Modified
    oval:com.redhat.rhsa:def:20228057
    P
    		RHSA-2022:8057: grafana security, bug fix, and enhancement update (Important)
    2022-11-15
    oval:com.redhat.rhsa:def:20227529
    P
    		RHSA-2022:7529: container-tools:3.0 security update (Moderate)
    2022-11-08
    oval:com.redhat.rhsa:def:20227519
    P
    		RHSA-2022:7519: grafana security, bug fix, and enhancement update (Moderate)
    2022-11-08
    oval:org.opensuse.security:def:118980
    P
    		Security update for go1.17 (Important)
    2022-08-04
    oval:org.opensuse.security:def:676
    P
    		Security update for go1.17 (Important)
    2022-08-04
    oval:org.opensuse.security:def:95341
    P
    		Security update for go1.17 (Important)
    2022-08-04
    oval:org.opensuse.security:def:119285
    P
    		Security update for go1.17 (Important)
    2022-08-04
    oval:org.opensuse.security:def:677
    P
    		Security update for go1.18 (Important)
    2022-08-04
    oval:org.opensuse.security:def:95342
    P
    		Security update for go1.18 (Important)
    2022-08-04
    oval:org.opensuse.security:def:119466
    P
    		Security update for go1.17 (Important)
    2022-08-04
    oval:org.opensuse.security:def:3711
    P
    		Security update for go1.17 (Important)
    2022-08-04
    oval:org.opensuse.security:def:118790
    P
    		Security update for go1.17 (Important)
    2022-08-04
    oval:org.opensuse.security:def:119651
    P
    		Security update for go1.17 (Important)
    2022-08-04
    oval:org.opensuse.security:def:3712
    P
    		Security update for go1.18 (Important)
    2022-08-04
    oval:com.redhat.rhsa:def:20225775
    P
    		RHSA-2022:5775: go-toolset:rhel8 security and bug fix update (Important)
    2022-08-01
    oval:com.redhat.rhsa:def:20225799
    P
    		RHSA-2022:5799: go-toolset and golang security and bug fix update (Important)
    2022-08-01
    BACK
    golang go 1.17.11
    golang go 1.18.3
    ibm spectrum protect plus 10.1.5
    ibm event streams 10.0.0
    ibm event streams 10.1.0
    ibm spectrum protect plus 10.1.7
    ibm event streams 10.2.0
    ibm event streams 10.3.0
    ibm event streams 10.3.1
    ibm cloud pak for business automation 18.0.0
    ibm cloud pak for business automation 18.0.2
    ibm cloud pak for business automation 19.0.1
    ibm cloud pak for business automation 19.0.3
    ibm cloud pak for business automation 20.0.1
    ibm cloud pak for business automation 20.0.3
    ibm cloud pak for business automation 21.0.1 -
    ibm cloud pak for business automation 21.0.2 -
    ibm cloud pak for business automation 21.0.3 -
    ibm robotic process automation 21.0.1
    ibm robotic process automation 21.0.2
    ibm app connect enterprise certified container 4.1
    ibm cics tx 11.1
    ibm app connect enterprise certified container 4.2
    ibm robotic process automation 21.0.3
    ibm robotic process automation 21.0.4
    ibm cloud pak for business automation 22.0.1 -
    ibm app connect enterprise certified container 5.0
    ibm app connect enterprise certified container 5.1
    ibm app connect enterprise certified container 5.2
    ibm cloud pak for business automation 22.0.2 -