Bug 2083647 (CVE-2022-29117)

Summary: CVE-2022-29117 dotnet: malicious content causes high CPU and memory usage
Product: [Other] Security Response Reporter: Patrick Del Bello <pdelbell>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: andrew.slice, bodavis, dbhole, kanderso, lvaleeva, omajid, rwagner, security-response-team
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in dotnet. The Microsoft Security Advisory describes the issue of a malicious client that can send MyCookie=chunks-2147483647 without the actual cookie chunks, causing large allocations, exceptions, and excess CPU utilization on the server when it tries to read or delete that many chunks.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2022-05-18 05:45:09 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2083680, 2083681, 2083682, 2083683, 2083684, 2083685, 2083686, 2083687, 2083688, 2083689, 2083690    
Bug Blocks: 2082718    

Description Patrick Del Bello 2022-05-10 14:20:21 UTC 
A malicious client can send MyCookie=chunks-2147483647 without the actual cookie chunks and cause large allocations, exceptions and excess CPU utilization on the server when it tried to read or delete that many chunks. Affected .NET versions: 6.0, 5.0, 3.1
Comment 2 errata-xmlrpc 2022-05-11 17:55:22 UTC 
This issue has been addressed in the following products:

  .NET Core on Red Hat Enterprise Linux

Via RHSA-2022:2195 https://access.redhat.com/errata/RHSA-2022:2195
Comment 3 errata-xmlrpc 2022-05-11 18:05:49 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2022:2200 https://access.redhat.com/errata/RHSA-2022:2200
Comment 4 errata-xmlrpc 2022-05-11 18:08:52 UTC 
This issue has been addressed in the following products:

  .NET Core on Red Hat Enterprise Linux

Via RHSA-2022:2194 https://access.redhat.com/errata/RHSA-2022:2194
Comment 5 errata-xmlrpc 2022-05-11 18:19:00 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2022:2199 https://access.redhat.com/errata/RHSA-2022:2199
Comment 6 errata-xmlrpc 2022-05-11 18:21:06 UTC 
This issue has been addressed in the following products:

  .NET Core on Red Hat Enterprise Linux

Via RHSA-2022:2196 https://access.redhat.com/errata/RHSA-2022:2196
Comment 7 errata-xmlrpc 2022-05-11 18:41:37 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2022:2202 https://access.redhat.com/errata/RHSA-2022:2202
Comment 8 errata-xmlrpc 2022-05-18 01:25:44 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2022:4588 https://access.redhat.com/errata/RHSA-2022:4588
Comment 9 Product Security DevOps Team 2022-05-18 05:45:07 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2022-29117