Vulnerability Name:

CVE-2022-2879 (CCN-238663)

Assigned:2022-09-03
Published:2022-09-03
Updated:2023-03-03
Summary:Reader.Read does not set a limit on the maximum size of file headers. A maliciously crafted archive could cause Read to allocate unbounded amounts of memory, potentially causing resource exhaustion or panics. After fix, Reader.Read limits the maximum size of header blocks to 1 MiB.
CVSS v3 Severity:7.5 High (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
6.5 Medium (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): 
Attack Complexity (AC): 
Privileges Required (PR): 
User Interaction (UI): 
Scope:Scope (S): 
Impact Metrics:Confidentiality (C): 
Integrity (I): 
Availibility (A): 
7.5 High (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
6.5 Medium (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): 
Attack Complexity (AC): 
Privileges Required (PR): 
User Interaction (UI): 
Scope:Scope (S): 
Impact Metrics:Confidentiality (C): 
Integrity (I): 
Availibility (A): 
6.5 Medium (REDHAT CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)
5.7 Medium (REDHAT Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): 
Attack Complexity (AC): 
Privileges Required (PR): 
User Interaction (UI): 
Scope:Scope (S): 
Impact Metrics:Confidentiality (C): 
Integrity (I): 
Availibility (A): 
CVSS v2 Severity:7.8 High (CCN CVSS v2 Vector: AV:N/AC:L/Au:N/C:N/I:N/A:C)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Athentication (Au): None
Impact Metrics:Confidentiality (C): None
Integrity (I): None
Availibility (A): Complete
Vulnerability Consequences:Denial of Service
References:Source: MITRE
Type: CNA
CVE-2022-2879

Source: XF
Type: UNKNOWN
go-cve20222879-dos(238663)

Source: CCN
Type: Go GIT Repository
archive/tar: unbounded memory consumption when reading headers #54853

Source: security@golang.org
Type: Patch
security@golang.org

Source: CCN
Type: Go Web site
Release History

Source: security@golang.org
Type: Issue Tracking, Third Party Advisory
security@golang.org

Source: CCN
Type: Google Groups
[security] Go 1.19.2 and Go 1.18.7 are released

Source: security@golang.org
Type: Mailing List, Release Notes
security@golang.org

Source: security@golang.org
Type: Vendor Advisory
security@golang.org

Vulnerable Configuration:Configuration RedHat 1:
  • cpe:/a:redhat:enterprise_linux:9:*:*:*:*:*:*:*
    • Configuration RedHat 2:
  • cpe:/a:redhat:enterprise_linux:9::appstream:*:*:*:*:*
    • Configuration RedHat 3:
  • cpe:/a:redhat:enterprise_linux:8:*:*:*:*:*:*:*
    • Configuration RedHat 4:
  • cpe:/a:redhat:enterprise_linux:8::appstream:*:*:*:*:*

    • Configuration CCN 1:
  • cpe:/a:golang:go:1.18.6:*:*:*:*:*:*:*
  • AND
  • cpe:/a:gnome:pango:1.19.1:*:*:*:*:*:*:*

    • * Denotes that component is vulnerable
    Vulnerability Name:

    CVE-2022-2879 (CCN-240560)

    Assigned:2022-10-04
    Published:2022-10-04
    Updated:2022-10-18
    Summary:Reader.Read does not set a limit on the maximum size of file headers. A maliciously crafted archive could cause Read to allocate unbounded amounts of memory, potentially causing resource exhaustion or panics. After fix, Reader.Read limits the maximum size of header blocks to 1 MiB.
    CVSS v3 Severity:7.5 High (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
    6.5 Medium (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C)
    Exploitability Metrics:Attack Vector (AV): 
    Attack Complexity (AC): 
    Privileges Required (PR): 
    User Interaction (UI): 
    Scope:Scope (S): 
    Impact Metrics:Confidentiality (C): 
    Integrity (I): 
    Availibility (A): 
    7.5 High (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
    6.5 Medium (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C)
    Exploitability Metrics:Attack Vector (AV): 
    Attack Complexity (AC): 
    Privileges Required (PR): 
    User Interaction (UI): 
    Scope:Scope (S): 
    Impact Metrics:Confidentiality (C): 
    Integrity (I): 
    Availibility (A): 
    6.5 Medium (REDHAT CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)
    5.7 Medium (REDHAT Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C)
    Exploitability Metrics:Attack Vector (AV): 
    Attack Complexity (AC): 
    Privileges Required (PR): 
    User Interaction (UI): 
    Scope:Scope (S): 
    Impact Metrics:Confidentiality (C): 
    Integrity (I): 
    Availibility (A): 
    CVSS v2 Severity:7.8 High (CCN CVSS v2 Vector: AV:N/AC:L/Au:N/C:N/I:N/A:C)
    Exploitability Metrics:Access Vector (AV): Network
    Access Complexity (AC): Low
    Athentication (Au): None
    Impact Metrics:Confidentiality (C): None
    Integrity (I): None
    Availibility (A): Complete
    Vulnerability Type:CWE-770
    Vulnerability Consequences:Denial of Service
    References:Source: MITRE
    Type: CNA
    CVE-2022-2879

    Source: XF
    Type: UNKNOWN
    golang-cve20222879-dos(240560)

    Source: CCN
    Type: Golang Web page
    Go 1.19.2 and Go 1.18.7 are released

    Source: CCN
    Type: IBM Security Bulletin 6852715 (Cloud Pak for Integration)
    Operations Dashboard is vulnerable to multiple Go CVEs

    Source: CCN
    Type: IBM Security Bulletin 6857851 (App Connect Enterprise Certified Container)
    IBM App Connect Enterprise Certified Container operator and operands may be vulnerable to denial of service due to [CVE-2022-2879]

    Source: CCN
    Type: IBM Security Bulletin 6891055 (Cloud Integration Platform)
    Platform Navigator and Automation Assets in IBM Cloud Pak for Integration is vulnerable to multiple Go vulnerabilities

    Source: CCN
    Type: IBM Security Bulletin 6909749 (Watson Speech Services Cartridge for Cloud Pak for Data)
    IBM Watson Speech Services Cartridge for IBM Cloud Pak for Data is vulnerable to a denial of service in Golang Go (CVE-2022-2879)

    Source: CCN
    Type: IBM Security Bulletin 6955849 (Decision Optimization for Cloud Pak for Data)
    Multiple vulnerabilities in Golang Go affect IBM Decision Optimization in IBM Cloud Pak for Data

    Source: CCN
    Type: IBM Security Bulletin 6955929 (Watson Discovery)
    IBM Watson Discovery Cartridge for IBM Cloud Pak for Data affected by vulnerability in Golang Go

    Source: CCN
    Type: IBM Security Bulletin 6958146 (Cloud Pak for Watson AIOps)
    Multiple Vulnerabilities in CloudPak for Watson AIOPs

    Source: CCN
    Type: IBM Security Bulletin 6963940 (CICS TX Advanced)
    CVE-2022-2879, CVE-2022-41715, CVE-2022-2880, CVE-2022-41717, CVE-2022-41716 may affect IBM CICS TX Advanced

    Source: CCN
    Type: IBM Security Bulletin 6963942 (CICS TX Standard)
    CVE-2022-2879, CVE-2022-41715, CVE-2022-2880, CVE-2022-41717, CVE-2022-41716 may affect IBM CICS TX Standard

    Source: CCN
    Type: IBM Security Bulletin 6965816 (Spectrum Protect Plus)
    Vulnerabilities in Node.js, libcurl, Golang Go, Jetty, Guava, Netty, OpenSSL, Linux kernel may affect IBM Spectrum Protect Plus

    Source: CCN
    Type: IBM Security Bulletin 6966998 (WebSphere Automation)
    Multiple vulnerabilities in the mongo-tools utility affect IBM WebSphere Automation

    Source: CCN
    Type: IBM Security Bulletin 6982841 (Netcool Operations Insight)
    Netcool Operations Insight v1.6.8 addresses multiple security vulnerabilities.

    Source: CCN
    Type: IBM Security Bulletin 6983270 (Robotic Process Automation)
    Multiple Security Vulnerabilities may affect IBM Robotic Process Automation for Cloud Pak.

    Source: CCN
    Type: IBM Security Bulletin 6986361 (Robotic Process Automation)
    Multiple Security Vulnerabilities may affect IBM Robotic Process Automation for Cloud Pak.

    Source: CCN
    Type: IBM Security Bulletin 6999605 (MQ Operator)
    IBM MQ Operator and Queue manager container images are vulnerable to multiple vulnerabilities from curl, go and apr-util

    Source: CCN
    Type: IBM Security Bulletin 7008407 (Robotic Process Automation for Cloud Pak)
    Multiple operator framework security vulnerabilities may affect IBM Robotic Process Automation for Cloud Pak

    Source: CCN
    Type: IBM Security Bulletin 7009921 (Watson Assistant for Cloud Pak for Data)
    IBM Watson Assistant for IBM Cloud Pak for Data is affected by multiple vulnerabilities in Golang Go

    Source: CCN
    Type: IBM Security Bulletin 7013037 (Edge Application Manager)
    IBM Edge Application Manager 4.5.1 addresses security vulnerability listed in CVE below.

    Vulnerable Configuration:Configuration RedHat 1:
  • cpe:/a:redhat:enterprise_linux:9:*:*:*:*:*:*:*
    • Configuration RedHat 2:
  • cpe:/a:redhat:enterprise_linux:9::appstream:*:*:*:*:*
    • Configuration RedHat 3:
  • cpe:/a:redhat:enterprise_linux:8:*:*:*:*:*:*:*
    • Configuration RedHat 4:
  • cpe:/a:redhat:enterprise_linux:8::appstream:*:*:*:*:*

    • Configuration CCN 1:
  • cpe:/a:golang:go:1.18.0:-:*:*:*:*:*:*
  • OR cpe:/a:golang:go:1.18.1:*:*:*:*:*:*:*
  • OR cpe:/a:golang:go:1.18.3:*:*:*:*:*:*:*
  • OR cpe:/a:golang:go:1.18.4:*:*:*:*:*:*:*
  • OR cpe:/a:golang:go:1.18.5:*:*:*:*:*:*:*
  • OR cpe:/a:golang:go:1.19.0:*:*:*:*:*:*:*
  • AND
  • cpe:/a:ibm:spectrum_protect_plus:10.1.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:robotic_process_automation:21.0.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:app_connect_enterprise_certified_container:4.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:cics_tx:11.1:*:*:*:standard:*:*:*
  • OR cpe:/a:ibm:cics_tx:11.1:*:*:*:advanced:*:*:*
  • OR cpe:/a:ibm:app_connect_enterprise_certified_container:4.2:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:robotic_process_automation_for_cloud_pak:21.0.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:app_connect_enterprise_certified_container:5.0:*:*:*:lts:*:*:*
  • OR cpe:/a:ibm:app_connect_enterprise_certified_container:5.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:app_connect_enterprise_certified_container:5.2:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:app_connect_enterprise_certified_container:6.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:app_connect_enterprise_certified_container:6.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:robotic_process_automation:23.0.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:app_connect_enterprise_certified_container:6.2:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:robotic_process_automation:23.0.3:*:*:*:*:*:*:*

    • * Denotes that component is vulnerable
    Oval Definitions
    Definition IDClassTitleLast Modified
    oval:org.opensuse.security:def:8013
    P
    		go1.19-1.19.9-150000.1.31.1 on GA media (Moderate)
    2023-06-20
    oval:com.redhat.rhsa:def:20230446
    P
    		RHSA-2023:0446: go-toolset:rhel8 security and bug fix update (Moderate)
    2023-01-25
    oval:com.redhat.rhsa:def:20230328
    P
    		RHSA-2023:0328: go-toolset and golang security and bug fix update (Moderate)
    2023-01-23
    oval:org.opensuse.security:def:654
    P
    		Security update for go1.18 (Important) (in QA)
    2022-10-05
    oval:org.opensuse.security:def:655
    P
    		Security update for go1.19 (Important) (in QA)
    2022-10-05
    BACK
    golang go 1.18.6
    gnome pango 1.19.1
    golang go 1.18.0 -
    golang go 1.18.1
    golang go 1.18.3
    golang go 1.18.4
    golang go 1.18.5
    golang go 1.19.0
    ibm spectrum protect plus 10.1.0
    ibm robotic process automation 21.0.1
    ibm app connect enterprise certified container 4.1
    ibm cics tx 11.1
    ibm cics tx 11.1
    ibm app connect enterprise certified container 4.2
    ibm robotic process automation for cloud pak 21.0.1
    ibm app connect enterprise certified container 5.0
    ibm app connect enterprise certified container 5.1
    ibm app connect enterprise certified container 5.2
    ibm app connect enterprise certified container 6.0
    ibm app connect enterprise certified container 6.1
    ibm robotic process automation 23.0.0
    ibm app connect enterprise certified container 6.2
    ibm robotic process automation 23.0.3