Vulnerability Name:

CVE-2022-30634 (CCN-229860)

Assigned:2022-06-01
Published:2022-06-01
Updated:2023-03-01
Summary:Golang Go is vulnerable to a denial of service, caused by improper input validation. By sending a specially-crafted request using large buffers, a remote attacker could exploit this vulnerability to cause rand.Read to hang,a and results in a denial of service condition.
CVSS v3 Severity:7.5 High (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
6.5 Medium (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): None
Integrity (I): None
Availibility (A): High
7.5 High (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
6.5 Medium (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): None
Integrity (I): None
Availibility (A): High
CVSS v2 Severity:7.8 High (CCN CVSS v2 Vector: AV:N/AC:L/Au:N/C:N/I:N/A:C)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Athentication (Au): None
Impact Metrics:Confidentiality (C): None
Integrity (I): None
Availibility (A): Complete
Vulnerability Consequences:Bypass Security
References:Source: MITRE
Type: CNA
CVE-2022-30634

Source: XF
Type: UNKNOWN
golang-cve202230634-dos(229860)

Source: security@golang.org
Type: Patch
security@golang.org

Source: CCN
Type: Golang Web site
go1.18.3 (released 2022-06-01)

Source: security@golang.org
Type: Exploit, Issue Tracking
security@golang.org

Source: security@golang.org
Type: Mailing List, Patch
security@golang.org

Source: CCN
Type: Golang Web page
[security] Go 1.18.3 and Go 1.17.11 are released

Source: security@golang.org
Type: Mailing List, Third Party Advisory
security@golang.org

Source: security@golang.org
Type: Third Party Advisory
security@golang.org

Source: CCN
Type: IBM Security Bulletin 6619905 (Spectrum Copy Data Management)
Vulnerabilities in Golang Go, PostgreSQL, jQuery, and Google Gson may affect IBM Spectrum Copy Data Management

Source: CCN
Type: IBM Security Bulletin 6619915 (Spectrum Protect Plus)
Vulnerabilities in Linux Kernel, OpenSSL, Golang Go, and Zlib may affect IBM Spectrum Protect Plus

Source: CCN
Type: IBM Security Bulletin 6619963 (Spectrum Protect Plus)
Vulnerabilities in Golang Go and MinIO may affect IBM Spectrum Plus Container Backup and Restore for Kubernetes and Red Hat OpenShift (CVE-2022-29804, CVE-2022-30580, CVE-2022-30629, CVE-2022-30634, CVE-2022-35919, CVE-2022-31028)

Source: CCN
Type: IBM Security Bulletin 6620897 (Watson Discovery)
IBM Watson Discovery for IBM Cloud Pak for Data affected by vulnerability in Go

Source: CCN
Type: IBM Security Bulletin 6825557 (Event Streams)
Multiple vulnerabilities in Golang Go affect IBM Event Streams

Vulnerable Configuration:Configuration CCN 1:
  • cpe:/a:ibm:spectrum_protect_plus:10.1.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:spectrum_protect_plus:10.1.5:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:event_streams:10.0.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:event_streams:10.1.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:spectrum_protect_plus:10.1.7:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:event_streams:10.2.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:event_streams:10.3.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:event_streams:10.3.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:spectrum_copy_data_management:2.2.0.0:*:*:*:*:*:*:*

    • * Denotes that component is vulnerable
    Oval Definitions
    Definition IDClassTitleLast Modified
    oval:org.opensuse.security:def:3693
    P
    		libupsclient1-2.7.4-3.3.1 on GA media (Moderate)
    2022-06-28
    oval:org.opensuse.security:def:3694
    P
    		libusbmuxd4-1.0.10-2.3 on GA media (Moderate)
    2022-06-28
    oval:org.opensuse.security:def:518
    P
    		Security update for go1.18 (Important)
    2022-06-07
    oval:org.opensuse.security:def:1177
    P
    		Security update for go1.17 (Important)
    2022-06-07
    oval:org.opensuse.security:def:95323
    P
    		Security update for go1.17 (Important)
    2022-06-07
    oval:org.opensuse.security:def:1178
    P
    		Security update for go1.18 (Important)
    2022-06-07
    oval:org.opensuse.security:def:95324
    P
    		Security update for go1.18 (Important)
    2022-06-07
    oval:org.opensuse.security:def:517
    P
    		Security update for go1.17 (Important)
    2022-06-07
    BACK
    ibm spectrum protect plus 10.1.0
    ibm spectrum protect plus 10.1.5
    ibm event streams 10.0.0
    ibm event streams 10.1.0
    ibm spectrum protect plus 10.1.7
    ibm event streams 10.2.0
    ibm event streams 10.3.0
    ibm event streams 10.3.1
    ibm spectrum copy data management 2.2.0.0