Vulnerability Name:

CVE-2022-32149 (CCN-238605)

Assigned:2022-10-11
Published:2022-10-11
Updated:2022-10-11
Summary:Golang Go is vulnerable to a denial of service, caused by improper input validation by the golang.org/x/text/language package. By sending a specially-crafted Accept-Language header, a remote attacker could exploit this vulnerability to cause ParseAcceptLanguage to take significant time to parse, and results in a denial of service condition.
CVSS v3 Severity:7.5 High (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
6.5 Medium (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): None
Integrity (I): None
Availibility (A): High
7.5 High (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
6.5 Medium (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): None
Integrity (I): None
Availibility (A): High
CVSS v2 Severity:7.8 High (CCN CVSS v2 Vector: AV:N/AC:L/Au:N/C:N/I:N/A:C)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Athentication (Au): None
Impact Metrics:Confidentiality (C): None
Integrity (I): None
Availibility (A): Complete
Vulnerability Consequences:Denial of Service
References:Source: MITRE
Type: CNA
CVE-2022-32149

Source: CCN
Type: Red Hat Bugzilla - Bug 2134010
CVE-2022-32149 golang: golang.org/x/text/language: ParseAcceptLanguage takes a long time to parse complex tags

Source: XF
Type: UNKNOWN
golang-cve202232149-dos(238605)

Source: CCN
Type: Golang GIT Repository
language: reject excessively large Accept-Language strings

Source: CCN
Type: IBM Security Bulletin 6838883 (Spectrum Protect Plus)
Vulnerabilities in Golang Go affect IBM Spectrum Protect Plus Container Backup and Restore for Kubernetes and Red Hat OpenShift

Source: CCN
Type: IBM Security Bulletin 6845942 (Spectrum Copy Data Management)
Vulnerabilities in Golang Go and Linux Kernel may affect IBM Spectrum Copy Data Management

Source: CCN
Type: IBM Security Bulletin 6852391 (Cloud Integration Platform)
Platform Navigator and Automation Assets in IBM Cloud Pak for Integration is vulnerable to denial of service due to Go CVE-2022-32149

Source: CCN
Type: IBM Security Bulletin 6852715 (Cloud Pak for Integration)
Operations Dashboard is vulnerable to multiple Go CVEs

Source: CCN
Type: IBM Security Bulletin 6855111 (Watson Discovery)
IBM Watson Discovery Cartridge for IBM Cloud Pak for Data affected by vulnerability in Go

Source: CCN
Type: IBM Security Bulletin 6857301 (Workload Scheduler)
IBM Workload Scheduler potentially affected by vulnerability CVE-2022-32149

Source: CCN
Type: IBM Security Bulletin 6957836 (Planning Analytics Workspace)
IBM Planning Analytics Workspace is affected by vulnerabilties (CVE-2022-43548, CVE-2020-7676, CVE-2021-42550, CVE-2021-38561, CVE-2022-32149)

Source: CCN
Type: IBM Security Bulletin 6958062 (Cloud Pak for Business Automation)
Security vulnerabilities are addressed with IBM Cloud Pak for Business Automation iFixes for Febuary 2023

Source: CCN
Type: IBM Security Bulletin 6958066 (CICS TX Advanced)
CVE-2022-32149 may affect IBM CICS TX Advanced

Source: CCN
Type: IBM Security Bulletin 6958072 (CICS TX Standard)
CVE-2022-32149 may affect IBM CICS TX Standard

Source: CCN
Type: IBM Security Bulletin 6958156 (Security Verify Bridge)
IBM Security Verify Bridge (windows and docker versions) affected by a denial of service issue in Go (CVE-2022-32149)

Source: CCN
Type: IBM Security Bulletin 6967291 (Robotic Process Automation for Cloud Pak)
Multiple Security Vulnerabilities may affect IBM Robotic Process Automation for Cloud Pak.

Source: CCN
Type: IBM Security Bulletin 6982925 (Sterling Order Management)
Golang Go vulnerability

Source: CCN
Type: IBM Security Bulletin 6984413 (Db2 Rest)
Multiple vulnerabilities affect IBM Db2 REST

Source: CCN
Type: IBM Security Bulletin 6987493 (Robotic Process Automation for Cloud Pak)
Multiple Security Vulnerabilities may affect IBM Robotic Process Automation for Cloud Pak.

Source: CCN
Type: IBM Security Bulletin 7004655 (Cloud Pak for Security)
IBM Cloud Pak for Security includes components with multiple known vulnerabilities

Source: CCN
Type: IBM Security Bulletin 7005479 (Cloud Pak for Network Automation)
IBM Cloud Pak for Network Automation 2.4.7 fixes multiple security vulnerabilities

Source: CCN
Type: IBM Security Bulletin 7007891 (Watson Speech Services Cartridge for Cloud Pak for Data)
IBM Watson Speech Services Cartridge for IBM Cloud Pak for Data is vulnerable to a denial of service in Golang Go (CVE-2022-32149)

Source: CCN
Type: IBM Security Bulletin 7009921 (Watson Assistant for Cloud Pak for Data)
IBM Watson Assistant for IBM Cloud Pak for Data is affected by multiple vulnerabilities in Golang Go

Source: CCN
Type: IBM Security Bulletin 7012675 (Netcool Operations Insight)
Netcool Operations Insights 1.6.9 addresses multiple security vulnerabilities.

Source: CCN
Type: IBM Security Bulletin 7014659 (Cloud Transformation Advisor)
IBM Cloud Transformation Advisor is vulnerable to multiple vulnerabilities

Source: CCN
Type: Mend Vulnerability Database
CVE-2022-32149

Vulnerable Configuration:Configuration CCN 1:
  • cpe:/a:golang:go:-:*:*:*:*:*:*:*
  • AND
  • cpe:/a:ibm:planning_analytics_local:*:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:cloud_transformation_advisor:2.0.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:spectrum_protect_plus:10.1.5:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:spectrum_protect_plus:10.1.7:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:workload_scheduler:9.5:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:planning_analytics_workspace:2.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:cloud_pak_for_business_automation:18.0.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:cloud_pak_for_business_automation:18.0.2:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:cloud_pak_for_business_automation:19.0.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:cloud_pak_for_business_automation:19.0.3:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:cloud_pak_for_business_automation:20.0.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:cloud_pak_for_business_automation:20.0.3:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:cloud_pak_for_business_automation:21.0.1:-:*:*:*:*:*:*
  • OR cpe:/a:ibm:cloud_pak_for_business_automation:21.0.2:-:*:*:*:*:*:*
  • OR cpe:/a:ibm:cloud_pak_for_business_automation:21.0.3:-:*:*:*:*:*:*
  • OR cpe:/a:ibm:cics_tx:11.1:*:*:*:standard:*:*:*
  • OR cpe:/a:ibm:cics_tx:11.1:*:*:*:advanced:*:*:*
  • OR cpe:/a:ibm:robotic_process_automation_for_cloud_pak:21.0.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:cloud_pak_for_business_automation:22.0.1:-:*:*:*:*:*:*
  • OR cpe:/a:ibm:cloud_pak_for_security:1.10.0.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:cloud_pak_for_business_automation:22.0.2:-:*:*:*:*:*:*

    • * Denotes that component is vulnerable
    Oval Definitions
    Definition IDClassTitleLast Modified
    oval:org.opensuse.security:def:8169
    P
    		Security update for SUSE Manager Client Tools (Important)
    2023-06-21
    BACK
    golang go -
    ibm planning analytics local *
    ibm cloud transformation advisor 2.0.1
    ibm spectrum protect plus 10.1.5
    ibm spectrum protect plus 10.1.7
    ibm workload scheduler 9.5
    ibm planning analytics workspace 2.0
    ibm cloud pak for business automation 18.0.0
    ibm cloud pak for business automation 18.0.2
    ibm cloud pak for business automation 19.0.1
    ibm cloud pak for business automation 19.0.3
    ibm cloud pak for business automation 20.0.1
    ibm cloud pak for business automation 20.0.3
    ibm cloud pak for business automation 21.0.1 -
    ibm cloud pak for business automation 21.0.2 -
    ibm cloud pak for business automation 21.0.3 -
    ibm cics tx 11.1
    ibm cics tx 11.1
    ibm robotic process automation for cloud pak 21.0.1
    ibm cloud pak for business automation 22.0.1 -
    ibm cloud pak for security 1.10.0.0
    ibm cloud pak for business automation 22.0.2 -