Bug 2064857 (CVE-2022-24921)

Summary: CVE-2022-24921 golang: regexp: stack exhaustion via a deeply nested expression
Product: [Other] Security Response Reporter: Patrick Del Bello <pdelbell>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: abishop, adudiak, ahrabovs, alitke, amctagga, amurdaca, anharris, anpicker, aoconnor, aos-bugs, apevec, asm, aucunnin, bbennett, bdettelb, bmontgom, bniver, bodavis, caswilli, crarobin, crizzo, dbenoit, deparker, dfreiber, dhanak, dholler, doconnor, dornelas, drow, dsimansk, dwalsh, dwd, dwhatley, dymurray, eglynn, emachado, eparis, etamir, fdeutsch, fjansen, flucifre, gmeno, hchiramm, ibolton, jaharrin, jakob, jburrell, jcajka, jeder, jjoyce, jkoehler, jligon, jmadigan, jmatthew, jmontleo, jnovy, joelsmith, jokerman, jortel, jpadman, jschluet, jwendell, jwong, jwon, kaycoth, kingland, kshier, kverlaen, lball, lemenkov, lhh, lhinds, lmadsen, lmeyer, lphiri, lsvaty, madam, manissin, maszulik, matzew, mbenjamin, mburns, mfojtik, mgarciac, mhackett, mkleinhe, mmagr, mnewsome, mnovotny, mrunge, mrussell, mstoklus, msugakov, mthoemme, mwringe, nbecker, ngough, nobody, nstielau, ocs-bugs, oezr, orabin, oramraz, ovanders, pamccart, pgaikwad, pgrist, phoracek, ploffay, rcernich, rfreiman, rhcos-triage, rhos-maint, rhs-bugs, rhuss, rjohnson, rogbas, rphillips, rrajasek, sausingh, sgott, sipoyare, skontopo, slucidi, smullick, sostapov, spasquie, sponnaga, spower, sseago, stirabos, sttts, tcarlin, teagle, thason, tkasparek, tnielsen, tstellar, tsweeney, twalsh, vereddy, vimartin, vkumar, xxia, ypadia
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: golang 1.16.15, golang 1.17.8 Doc Type: If docs needed, set a value
Doc Text:
A stack overflow flaw was found in Golang's regexp module, which can crash the runtime if the application using regexp accepts very long or arbitrarily long regexps from untrusted sources that have sufficient nesting depths. To exploit this vulnerability, an attacker would need to send large regexps with deep nesting to the application. Triggering this flaw leads to a crash of the runtime, which causes a denial of service.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2023-01-26 18:22:19 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2071534, 2071536, 2065362, 2065363, 2066507, 2066508, 2066509, 2066510, 2066512, 2066513, 2066925, 2066926, 2066927, 2066928, 2066929, 2066930, 2066931, 2066932, 2066933, 2066934, 2066935, 2066936, 2066937, 2071142, 2071143, 2071144, 2071145, 2071146, 2071147, 2071148, 2071149, 2071150, 2071151, 2071152, 2071153, 2071154, 2071155, 2071156, 2071157, 2071158, 2071159, 2071160, 2071161, 2071162, 2071163, 2071164, 2071165, 2071168, 2071169, 2071170, 2071535, 2071555, 2071556, 2077168, 2077169, 2077170, 2077171, 2077172, 2077173, 2077175, 2077176, 2077177, 2077178, 2077179, 2077180, 2077181, 2077182, 2077183, 2077184, 2077185, 2077186, 2077187, 2077188, 2077189, 2077190, 2077191, 2077192, 2077193, 2077194, 2077195, 2077196, 2077197, 2077198, 2077199, 2077201, 2077202, 2077203, 2077205, 2077206, 2077208, 2077209, 2077210, 2077212, 2077213, 2077215, 2077216, 2077218, 2077219, 2077220, 2077222, 2077223, 2077225, 2077226, 2077227, 2077228, 2077229, 2077230, 2077231, 2077232, 2077233, 2077234, 2077235, 2077236, 2077237, 2077238, 2077239, 2077240    
Bug Blocks: 2064858    

Description Patrick Del Bello 2022-03-16 19:02:47 UTC 
regexp.Compile in Go before 1.16.15 and 1.17.x before 1.17.8 allows stack exhaustion via a deeply nested expression.

Reference: https://groups.google.com/g/golang-announce/c/RP1hfrBYVuk
Comment 3 Todd Cullum 2022-03-21 23:07:21 UTC 
Created golang tracking bugs for this issue:

Affects: epel-all [bug 2066512]
Affects: openstack-rdo [bug 2066513]
Comment 16 errata-xmlrpc 2022-06-28 19:26:18 UTC 
This issue has been addressed in the following products:

  Red Hat Developer Tools

Via RHSA-2022:5415 https://access.redhat.com/errata/RHSA-2022:5415
Comment 19 errata-xmlrpc 2022-08-01 11:15:41 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.10

Via RHSA-2022:5729 https://access.redhat.com/errata/RHSA-2022:5729
Comment 20 errata-xmlrpc 2022-08-01 11:34:27 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.10

Via RHSA-2022:5730 https://access.redhat.com/errata/RHSA-2022:5730
Comment 23 errata-xmlrpc 2022-08-10 10:09:08 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.11
  Ironic content for Red Hat OpenShift Container Platform 4.11

Via RHSA-2022:5068 https://access.redhat.com/errata/RHSA-2022:5068
Comment 24 errata-xmlrpc 2022-08-10 11:36:31 UTC 
This issue has been addressed in the following products:

  Openshift Serverless 1 on RHEL 8

Via RHSA-2022:6042 https://access.redhat.com/errata/RHSA-2022:6042
Comment 25 errata-xmlrpc 2022-08-10 13:14:51 UTC 
This issue has been addressed in the following products:

  Openshift Serveless 1.24

Via RHSA-2022:6040 https://access.redhat.com/errata/RHSA-2022:6040
Comment 28 Misha Sugakov 2022-08-19 16:19:33 UTC 
Could someone please confirm which go 1.18 version addresses/is free from this vulnerability?
Comment 29 errata-xmlrpc 2022-08-24 13:47:08 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Data Foundation 4.11 on RHEL8

Via RHSA-2022:6156 https://access.redhat.com/errata/RHSA-2022:6156
Comment 30 errata-xmlrpc 2022-08-31 16:55:24 UTC 
This issue has been addressed in the following products:

  OpenShift Service Mesh 2.1

Via RHSA-2022:6277 https://access.redhat.com/errata/RHSA-2022:6277
Comment 31 errata-xmlrpc 2022-09-14 19:27:45 UTC 
This issue has been addressed in the following products:

  RHEL-8-CNV-4.11

Via RHSA-2022:6526 https://access.redhat.com/errata/RHSA-2022:6526
Comment 32 errata-xmlrpc 2022-09-26 15:26:27 UTC 
This issue has been addressed in the following products:

  RHACS-3.72-RHEL-8

Via RHSA-2022:6714 https://access.redhat.com/errata/RHSA-2022:6714
Comment 35 errata-xmlrpc 2022-12-01 21:09:53 UTC 
This issue has been addressed in the following products:

  RHEL-8-CNV-4.11

Via RHSA-2022:8750 https://access.redhat.com/errata/RHSA-2022:8750
Comment 53 errata-xmlrpc 2023-01-24 12:48:47 UTC 
This issue has been addressed in the following products:

  RHEL-8-CNV-4.12
  RHEL-7-CNV-4.12

Via RHSA-2023:0407 https://access.redhat.com/errata/RHSA-2023:0407
Comment 54 Product Security DevOps Team 2023-01-26 18:22:12 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2022-24921