Vulnerability Name:

CVE-2022-41717 (CCN-241875)

Assigned:2022-12-08
Published:2022-12-08
Updated:2023-08-02
Summary:Golang Go is vulnerable to a denial of service, caused by a flaw when handling HTTP/2 requests in the Go server. By sending a specially-crafted keys, a remote attacker could exploit this vulnerability to cause excessive memory growth, and results in a denial of service condition.
CVSS v3 Severity:5.3 Medium (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)
4.6 Medium (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): None
Integrity (I): None
Availibility (A): Low
5.3 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)
4.6 Medium (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): None
Integrity (I): None
Availibility (A): Low
CVSS v2 Severity:5.0 Medium (CCN CVSS v2 Vector: AV:N/AC:L/Au:N/C:N/I:N/A:P)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Athentication (Au): None
Impact Metrics:Confidentiality (C): None
Integrity (I): None
Availibility (A): Partial
Vulnerability Consequences:Denial of Service
References:Source: MITRE
Type: CNA
CVE-2022-41717

Source: XF
Type: UNKNOWN
golang-cve202241717-dos(241875)

Source: security@golang.org
Type: Patch, Vendor Advisory
security@golang.org

Source: security@golang.org
Type: Patch, Vendor Advisory
security@golang.org

Source: security@golang.org
Type: Patch, Third Party Advisory
security@golang.org

Source: security@golang.org
Type: Mailing List, Release Notes, Third Party Advisory
security@golang.org

Source: security@golang.org
Type: Mailing List
security@golang.org

Source: security@golang.org
Type: Mailing List
security@golang.org

Source: security@golang.org
Type: Mailing List
security@golang.org

Source: CCN
Type: GO-2022-1144
GO

Source: security@golang.org
Type: Vendor Advisory
security@golang.org

Source: CCN
Type: IBM Security Bulletin 6959923 (Cloud Integration Platform)
Operations Dashboard is vulnerable to denial of service and request smuggling due to Go CVE-2022-41717 and CVE-2022-41721

Source: CCN
Type: IBM Security Bulletin 6959931 (Cloud Integration Platform)
Platform Navigator and Automation Assets in IBM Cloud Pak for Integration are vulnerable to CVE-2022-41717 in Go

Source: CCN
Type: IBM Security Bulletin 6960739 (Spectrum Copy Data Management)
Vulnerabilities in Golang Go and Java SE might affect IBM Spectrum Copy Data Management (CVE-2022-41717, CVE-2023-21830, CVE-2023-21835, CVE-2023-21843)

Source: CCN
Type: IBM Security Bulletin 6963640 (Spectrum Protect Server)
Vulnerabilities in IBM Db2, IBM Java Runtime, and Golang Go may affect IBM Spectrum Protect Server (CVE-2022-21626, CVE-2022-41717, CVE-2022-43929, CVE-2022-43927, CVE-2022-43930)

Source: CCN
Type: IBM Security Bulletin 6963940 (CICS TX Advanced)
CVE-2022-2879, CVE-2022-41715, CVE-2022-2880, CVE-2022-41717, CVE-2022-41716 may affect IBM CICS TX Advanced

Source: CCN
Type: IBM Security Bulletin 6963942 (CICS TX Standard)
CVE-2022-2879, CVE-2022-41715, CVE-2022-2880, CVE-2022-41717, CVE-2022-41716 may affect IBM CICS TX Standard

Source: CCN
Type: IBM Security Bulletin 6964532 (Spectrum Scale DAS)
A vulnerability has been identified in IBM Spectrum Scale Data Access Services (DAS) which can cause denial of service.

Source: CCN
Type: IBM Security Bulletin 6965352 (Spectrum Protect Plus Container Agent)
Vulnerabilities in Pypa Setuptools, Golang Go, OpenSSH, Minio and Certifi may affect IBM Spectrum Protect Plus Container backup and restore for Kubernetes and OpenShift

Source: CCN
Type: IBM Security Bulletin 6965816 (Spectrum Protect Plus)
Vulnerabilities in Node.js, libcurl, Golang Go, Jetty, Guava, Netty, OpenSSL, Linux kernel may affect IBM Spectrum Protect Plus

Source: CCN
Type: IBM Security Bulletin 6966872 (Event Streams)
IBM Event Streams is affected by a vulnerability in Golang Go (CVE-2022-41717)

Source: CCN
Type: IBM Security Bulletin 6967291 (Robotic Process Automation for Cloud Pak)
Multiple Security Vulnerabilities may affect IBM Robotic Process Automation for Cloud Pak.

Source: CCN
Type: IBM Security Bulletin 6967677 (Watson Speech Services Cartridge for Cloud Pak for Data)
IBM Watson Speech Services Cartridge for IBM Cloud Pak for Data is vulnerable to a denial of service in Golang Go (CVE-2022-41717)

Source: CCN
Type: IBM Security Bulletin 6982923 (Sterling Order Management)
Golang Go vulnerability

Source: CCN
Type: IBM Security Bulletin 6983246 (Watson Discovery)
IBM Watson Discovery Cartridge for IBM Cloud Pak for Data affected by vulnerability in Golang Go

Source: CCN
Type: IBM Security Bulletin 6984199 (Db2 Rest)
Multiple vulnerabilities affect IBM Db2 REST

Source: CCN
Type: IBM Security Bulletin 6987057 (App Connect Enterprise Certified Container)
IBM App Connect Enterprise Certified Container operands and operator may be vulnerable to denial of service due to [CVE-2022-41717]

Vulnerable Configuration:Configuration CCN 1:
  • cpe:/a:golang:go:1.19.0:*:*:*:*:*:*:*
  • AND
  • cpe:/a:ibm:spectrum_protect_plus:10.1.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:event_streams:10.0.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:event_streams:10.1.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:event_streams:10.3.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:event_streams:10.3.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:app_connect_enterprise_certified_container:4.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:cics_tx:11.1:*:*:*:standard:*:*:*
  • OR cpe:/a:ibm:cics_tx:11.1:*:*:*:advanced:*:*:*
  • OR cpe:/a:ibm:app_connect_enterprise_certified_container:4.2:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:robotic_process_automation_for_cloud_pak:21.0.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:app_connect_enterprise_certified_container:5.0:*:*:*:lts:*:*:*
  • OR cpe:/a:ibm:app_connect_enterprise_certified_container:5.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:app_connect_enterprise_certified_container:5.2:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:app_connect_enterprise_certified_container:6.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:app_connect_enterprise_certified_container:6.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:app_connect_enterprise_certified_container:6.2:*:*:*:*:*:*:*

  • * Denotes that component is vulnerable
    Oval Definitions
    Definition IDClassTitleLast Modified
    oval:org.opensuse.security:def:8013
    P
    go1.19-1.19.9-150000.1.31.1 on GA media (Moderate)
    2023-06-20
    BACK
    golang go 1.19.0
    ibm spectrum protect plus 10.1.0
    ibm event streams 10.0.0
    ibm event streams 10.1.0
    ibm event streams 10.3.0
    ibm event streams 10.3.1
    ibm app connect enterprise certified container 4.1
    ibm cics tx 11.1
    ibm cics tx 11.1
    ibm app connect enterprise certified container 4.2
    ibm robotic process automation for cloud pak 21.0.1
    ibm app connect enterprise certified container 5.0
    ibm app connect enterprise certified container 5.1
    ibm app connect enterprise certified container 5.2
    ibm app connect enterprise certified container 6.0
    ibm app connect enterprise certified container 6.1
    ibm app connect enterprise certified container 6.2