Vulnerability Name:

CVE-2022-41723 (CCN-247965)

Assigned:2022-09-28
Published:2023-01-18
Updated:2023-05-16
Summary:Golang Go is vulnerable to a denial of service, caused by a flaw in the HPACK decoder. By sending a specially-crafted HTTP/2 stream, a remote attacker could exploit this vulnerability to cause excessive CPU consumption, and results in a denial of service condition.
CVSS v3 Severity:7.5 High (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
6.5 Medium (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): None
Integrity (I): None
Availibility (A): High
7.5 High (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
6.5 Medium (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): None
Integrity (I): None
Availibility (A): High
CVSS v2 Severity:7.8 High (CCN CVSS v2 Vector: AV:N/AC:L/Au:N/C:N/I:N/A:C)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Athentication (Au): None
Impact Metrics:Confidentiality (C): None
Integrity (I): None
Availibility (A): Complete
Vulnerability Consequences:Denial of Service
References:Source: MITRE
Type: CNA
CVE-2022-41723

Source: XF
Type: UNKNOWN
golang-cve202241723-dos(247965)

Source: CCN
Type: Go GIT Repository
net/http: avoid quadratic complexity in HPACK decoding (CVE-2022-41723) #57855

Source: security@golang.org
Type: Patch
security@golang.org

Source: security@golang.org
Type: Patch
security@golang.org

Source: security@golang.org
Type: Issue Tracking
security@golang.org

Source: security@golang.org
Type: Mailing List, Vendor Advisory
security@golang.org

Source: security@golang.org
Type: Third Party Advisory
security@golang.org

Source: security@golang.org
Type: Third Party Advisory
security@golang.org

Source: security@golang.org
Type: Third Party Advisory
security@golang.org

Source: security@golang.org
Type: Third Party Advisory
security@golang.org

Source: security@golang.org
Type: Vendor Advisory
security@golang.org

Source: CCN
Type: IBM Security Bulletin 6965352 (Spectrum Protect Plus Container Agent)
Vulnerabilities in Pypa Setuptools, Golang Go, OpenSSH, Minio and Certifi may affect IBM Spectrum Protect Plus Container backup and restore for Kubernetes and OpenShift

Source: CCN
Type: IBM Security Bulletin 6967022 (CICS TX Standard)
CVE-2022-41723 may affect IBM CICS TX Standard

Source: CCN
Type: IBM Security Bulletin 6967026 (CICS TX Advanced)
CVE-2022-41723 may affect IBM CICS TX Advanced

Source: CCN
Type: IBM Security Bulletin 6967291 (Robotic Process Automation for Cloud Pak)
Multiple Security Vulnerabilities may affect IBM Robotic Process Automation for Cloud Pak.

Source: CCN
Type: IBM Security Bulletin 6980347 (Cloud Integration Platform)
Operations Dashboard is vulnerable to denial of service due to multiple vulnerabilities in Go

Source: CCN
Type: IBM Security Bulletin 6980349 (Cloud Integration Platform)
Platform Navigator and Automation Assets in IBM Cloud Pak for Integration are vulnerable to multiple vulnerabilities in Go

Source: CCN
Type: IBM Security Bulletin 6984413 (Db2 Rest)
Multiple vulnerabilities affect IBM Db2 REST

Source: CCN
Type: IBM Security Bulletin 6987489 (Db2 Rest)
Multiple vulnerabilities in golang affect IBM Db2 REST

Source: CCN
Type: IBM Security Bulletin 6997601 (CICS TX Advanced)
CVE-2022-41723 and CVE-2022-41721 may affect IBM CICS TX Advanced

Source: CCN
Type: IBM Security Bulletin 7004575 (Watson Discovery)
IBM Watson Discovery Cartridge for IBM Cloud Pak for Data affected by vulnerability in Golang Go

Source: CCN
Type: IBM Security Bulletin 7005485 (Cloud Pak for Network Automation)
Cloud Pak for Network Automation 2.5.0 fixes multiple security vulnerabilities

Source: CCN
Type: IBM Security Bulletin 7005569 (Spectrum Protect)
IBM Storage Protect server is vulnerable to a denial of service attack due to Golang Go (CVE-2022-41723)

Source: CCN
Type: IBM Security Bulletin 7005589 (Spectrum Protect Plus)
Vulnerabilities in Apache Commons, Tomcat, Go, libcurl, OpenSSL, Python, Node.js, and Linux can affect IBM Spectrum Protect Plus.

Source: CCN
Type: IBM Security Bulletin 7008449 (Db2 on Cloud Pak for Data)
Multiple vulnerabilities affect IBM Db2 on Cloud Pak for Data and Db2 Warehouse on Cloud Pak for Data

Source: CCN
Type: IBM Security Bulletin 7009757 (Match 360)
ICP Match 360 is vulnerable to the following CVEs

Source: CCN
Type: IBM Security Bulletin 7009921 (Watson Assistant for Cloud Pak for Data)
IBM Watson Assistant for IBM Cloud Pak for Data is affected by multiple vulnerabilities in Golang Go

Source: CCN
Type: IBM Security Bulletin 7011775 (Event Streams)
IBM Event Streams is vulnerable to a denial of service attack due to Golang Go (CVE-2022-41723)

Source: CCN
Type: Mend Vulnerability Database
CVE-2022-41723

Vulnerable Configuration:Configuration CCN 1:
  • cpe:/a:golang:go:1.19.5:*:*:*:*:*:*:*
  • AND
  • cpe:/a:ibm:spectrum_protect:8.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:spectrum_protect_plus:10.1.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:event_streams:10.0.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:cics_tx:11.1:*:*:*:standard:*:*:*
  • OR cpe:/a:ibm:cics_tx:11.1:*:*:*:advanced:*:*:*
  • OR cpe:/a:ibm:robotic_process_automation_for_cloud_pak:21.0.1:*:*:*:*:*:*:*

  • * Denotes that component is vulnerable
    Oval Definitions
    Definition IDClassTitleLast Modified
    oval:org.opensuse.security:def:8171
    P
    Security update for golang-github-prometheus-prometheus (Important)
    2023-06-21
    oval:org.opensuse.security:def:8013
    P
    go1.19-1.19.9-150000.1.31.1 on GA media (Moderate)
    2023-06-20
    oval:org.opensuse.security:def:8014
    P
    go1.20-1.20.4-150000.1.11.1 on GA media (Moderate)
    2023-06-20
    BACK
    golang go 1.19.5
    ibm spectrum protect 8.1
    ibm spectrum protect plus 10.1.0
    ibm event streams 10.0.0
    ibm cics tx 11.1
    ibm cics tx 11.1
    ibm robotic process automation for cloud pak 21.0.1