Bug 2053532 (CVE-2022-23772)

Summary:	CVE-2022-23772 golang: math/big: uncontrolled memory consumption due to an unhandled overflow via Rat.SetString
Product:	[Other] Security Response	Reporter:	Guilherme de Almeida Suckevicz <gsuckevi>
Component:	vulnerability	Assignee:	Red Hat Product Security <security-response-team>
Status:	CLOSED ERRATA	QA Contact:
Severity:	medium	Docs Contact:
Priority:	medium
Version:	unspecified	CC:	abishop, akashem, alitke, amctagga, amuller, amurdaca, anharris, anpicker, aos-bugs, apevec, asm, bbennett, bdettelb, bmontgom, bniver, bodavis, caswilli, cnv-qe-bugs, crarobin, dbecker, dbenoit, dholler, dornelas, dwalsh, dwd, dwhatley, dymurray, eglynn, emachado, eparis, erooth, etamir, fdeutsch, fjansen, flucifre, gmeno, hchiramm, hvyas, ibolton, jaharrin, jakob, jarrpa, jburrell, jcajka, jeder, jjoyce, jligon, jmadigan, jmatthew, jmontleo, jmulligan, jokerman, jortel, jpadman, jschluet, jwendell, jwong, jwon, kaycoth, krathod, lball, lemenkov, lhh, lhinds, lmadsen, lmeyer, lpeer, madam, maszulik, matzew, mbenjamin, mburns, mfojtik, mgarciac, mhackett, mkleinhe, mmagr, mnewsome, mrunge, mrussell, mthoemme, mwringe, nbecker, ngough, nobody, nstielau, ntait, ocs-bugs, pamccart, ploffay, rcernich, rfreiman, rhcos-triage, rhos-maint, rhs-bugs, rhuss, rphillips, rrajasek, rtalur, sabose, sclewis, sgott, sipoyare, slinaber, slucidi, sostapov, spasquie, sponnaga, spower, sseago, stirabos, sttts, tcarlin, tkasparek, tnielsen, tstellar, tsweeney, twalsh, vereddy, vkumar, xxia, ypadia, ytale
Target Milestone:	---	Keywords:	Security
Target Release:	---
Hardware:	All
OS:	Linux
Whiteboard:
Fixed In Version:	go 1.17.7, go 1.16.14	Doc Type:	If docs needed, set a value
Doc Text:	A flaw was found in the big package of the math library in golang. The Rat.SetString could cause an overflow, and if left unhandled, it could lead to excessive memory use. This issue could allow a remote attacker to impact the availability of the system.	Story Points:	---
Clone Of:		Environment:
Last Closed:	2022-05-11 16:16:41 UTC	Type:	---
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:
Bug Depends On:	2073717, 2073718, 2053533, 2053534, 2053535, 2054246, 2054247, 2054840, 2054843, 2054845, 2056093, 2056094, 2056095, 2056096, 2056097, 2056098, 2056099, 2056100, 2056101, 2056102, 2067536, 2068662, 2068663, 2068664, 2068667, 2068668, 2068669, 2068670, 2068671, 2068672, 2068673, 2068674, 2068675, 2068676, 2068677, 2068678, 2068679, 2068680, 2068681, 2068682, 2068803, 2068804, 2068805, 2068806, 2068807, 2068808, 2068809, 2068810, 2068811, 2068812, 2068813, 2068814, 2068815, 2068816, 2068817, 2068818, 2068819, 2068820, 2068821, 2068822, 2068823, 2068824, 2068825, 2068826, 2068827, 2068828, 2068829, 2068830, 2068831, 2068832, 2068833, 2068834, 2068835, 2068836, 2068837, 2068838, 2068840, 2068841, 2068842, 2068843, 2068844, 2068845, 2068846, 2068847, 2068848, 2068849, 2068850, 2077693, 2080403, 2080404, 2168805
Bug Blocks:	2053545

Description Guilherme de Almeida Suckevicz 2022-02-11 13:32:55 UTC

Rat.SetString in math/big in Go before 1.16.14 and 1.17.x before 1.17.7 has an overflow that can lead to Uncontrolled Memory Consumption.

Reference:
https://groups.google.com/g/golang-announce/c/SUsQn0aSgPQ

Comment 1 Guilherme de Almeida Suckevicz 2022-02-11 13:33:46 UTC

Created golang tracking bugs for this issue:

Affects: epel-all [bug 2053533]
Affects: fedora-all [bug 2053535]
Affects: openstack-rdo [bug 2053534]

Comment 10 Nick Tait 2022-03-25 21:35:54 UTC

Upstream issue: https://github.com/golang/go/issues/50699
Patch: https://github.com/golang/go/commit/ad345c265916bbf6c646865e4642eafce6d39e78

Comment 22 errata-xmlrpc 2022-05-10 13:39:04 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2022:1819 https://access.redhat.com/errata/RHSA-2022:1819

Comment 23 Product Security DevOps Team 2022-05-11 16:16:34 UTC

This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2022-23772

Comment 24 errata-xmlrpc 2022-06-01 11:46:18 UTC

This issue has been addressed in the following products:

  Openshift Serverless 1 on RHEL 8

Via RHSA-2022:4860 https://access.redhat.com/errata/RHSA-2022:4860

Comment 25 errata-xmlrpc 2022-06-01 13:59:32 UTC

This issue has been addressed in the following products:

  Openshift Serveless 1.22

Via RHSA-2022:4863 https://access.redhat.com/errata/RHSA-2022:4863

Comment 26 errata-xmlrpc 2022-06-13 12:33:17 UTC

This issue has been addressed in the following products:

  OpenShift Service Mesh 2.1

Via RHSA-2022:5004 https://access.redhat.com/errata/RHSA-2022:5004

Comment 27 errata-xmlrpc 2022-08-01 11:34:27 UTC

This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.10

Via RHSA-2022:5730 https://access.redhat.com/errata/RHSA-2022:5730

Comment 28 errata-xmlrpc 2022-08-10 10:08:50 UTC

This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.11
  Ironic content for Red Hat OpenShift Container Platform 4.11

Via RHSA-2022:5068 https://access.redhat.com/errata/RHSA-2022:5068

Comment 29 errata-xmlrpc 2022-08-24 13:41:21 UTC

This issue has been addressed in the following products:

  Red Hat OpenShift Data Foundation 4.11 on RHEL8

Via RHSA-2022:6155 https://access.redhat.com/errata/RHSA-2022:6155

Comment 30 errata-xmlrpc 2022-08-24 13:46:52 UTC

This issue has been addressed in the following products:

  Red Hat OpenShift Data Foundation 4.11 on RHEL8

Via RHSA-2022:6156 https://access.redhat.com/errata/RHSA-2022:6156

Comment 31 errata-xmlrpc 2022-09-14 19:27:32 UTC

This issue has been addressed in the following products:

  RHEL-8-CNV-4.11

Via RHSA-2022:6526 https://access.redhat.com/errata/RHSA-2022:6526

Comment 32 errata-xmlrpc 2023-01-24 13:34:31 UTC

This issue has been addressed in the following products:

  RHEL-8-CNV-4.12

Via RHSA-2023:0408 https://access.redhat.com/errata/RHSA-2023:0408

Comment 34 errata-xmlrpc 2023-03-30 00:42:42 UTC

This issue has been addressed in the following products:

  STF-1.5-RHEL-8

Via RHSA-2023:1529 https://access.redhat.com/errata/RHSA-2023:1529

Comment 35 errata-xmlrpc 2023-07-06 02:44:26 UTC

This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.11

Via RHSA-2023:3914 https://access.redhat.com/errata/RHSA-2023:3914

Comment 38 errata-xmlrpc 2024-08-28 19:32:35 UTC

This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.15

Via RHSA-2024:5754 https://access.redhat.com/errata/RHSA-2024:5754

Comment 39 errata-xmlrpc 2024-09-11 18:49:15 UTC

This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.14

Via RHSA-2024:6412 https://access.redhat.com/errata/RHSA-2024:6412