Bug 2107388 (CVE-2022-30635)

Summary: CVE-2022-30635 golang: encoding/gob: stack exhaustion in Decoder.Decode
Product: [Other] Security Response Reporter: Anten Skrabec <askrabec>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: abishop, adam.kaplan, adudiak, agarcial, agerstmayr, akashem, akoutsou, alcohan, amctagga, amurdaca, anjoseph, anpicker, aoconnor, aos-network-edge-staff, aos-odin-bot, asm, aveerama, bbennett, bcoca, bdettelb, blaise, bmontgom, bniver, bodavis, bperkins, bradley.g.smith, brking, bthurber, carl, cdaley, chousekn, cmeyers, container-sig, danken, davide, davidn, dbenoit, deparker, dfreiber, dhanak, doconnor, dperaza, drow, dsimansk, dwd, dwest, dwhatley, dymurray, ebakerupw, eclipseo, eduardo.ramalho, eglynn, emachado, eparis, fdeutsch, flucifre, fpokorny, gblomqui, gmeno, go-sig, gparvin, grafana-maint, gscrivan, haoli, hhorak, hkataria, ibolton, jajackso, jbrooks, jburrell, jcajka, jcammara, jchaloup, jhadvig, jhardy, jhrozek, jitsingh, jjoyce, jmatthew, jmitchel, jmontleo, jneedle, jnovy, jobarker, jorton, jpadman, jprabhak, jramanat, jschluet, jwendell, jwon, kegrant, kingland, koliveir, kshier, kverlaen, lacypret, lball, lbragsta, lchilton, lemenkov, lhh, lmeyer, lsm5, lsvaty, mabashia, manissin, marcandre.lureau, matzew, maxwell, mbenjamin, mburns, me, mfojtik, mgarciac, mgoodwin, mhackett, mheon, michel, mnewsome, mnovotny, mwringe, nathans, ngompa13, njean, nobody, notting, nstielau, obudai, obulatov, ocp-storage-bot, ocs-bugs, omaciel, openshift-release-oversight, opohorel, oramraz, osapryki, osbuilders, oskutka, owatkins, pahickey, pbraun, pegoncal, pehunt, pgaikwad, pgrist, pierdipi, ploffay, quantum.analyst, rcernich, relrod, rguimara, rhaigner, rh.container.bot, rhos-maint, rhuss, rjohnson, rpetrell, rphillips, ryncsn, sanchezl, santiago, sausingh, scorneli, sdoran, sejug, sfeifer, sgott, shvarugh, simaishi, sipoyare, skontopo, slaznick, slucidi, smcdonal, smullick, sostapov, spandura, spasquie, sponnaga, spower, sseago, ssteinbe, stcannon, stirabos, strigazi, surbania, teagle, team-winc-bot, tfister, tgunders, thason, thavo, tkuratom, tsedovic, tstellar, twalsh, ubhargav, uhhadd, user-cont-team+packit-fas, vereddy, vkumar, wenshen, whayutin, wtam, xxia, yanqiyu01, yguenane
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: golang 1.18.4, golang 1.17.12 Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in golang. When calling Decoder, Decode on a message that contains deeply nested structures, a panic can occur due to stack exhaustion and allows an attacker to impact system availability.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2023-05-17 00:36:23 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2115532, 2107389, 2109914, 2109915, 2109916, 2109917, 2110276, 2110349, 2111001, 2111496, 2111746, 2111747, 2111752, 2111753, 2111765, 2111766, 2111772, 2111773, 2111774, 2111775, 2111782, 2111783, 2112009, 2112010, 2115530, 2115531, 2115534, 2115536, 2115537, 2115539, 2115543, 2115544, 2115545, 2115546, 2115547, 2115548, 2115549, 2115551, 2123509, 2123510, 2123514, 2123748, 2123750, 2123754, 2134423, 2134424, 2174379    
Bug Blocks: 2108341    

Description Anten Skrabec 2022-07-14 21:38:16 UTC 
Calling Decoder.Decode on a message which contains deeply nested structures can cause a panic due to stack exhaustion.
Comment 1 Anten Skrabec 2022-07-14 21:38:31 UTC 
Created golang tracking bugs for this issue:

Affects: fedora-all [bug 2107389]
Comment 7 Avinash Hanwate 2022-07-25 09:34:39 UTC 
Created golang tracking bugs for this issue:

Affects: epel-all [bug 2110349]
Comment 17 errata-xmlrpc 2022-08-01 12:04:53 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2022:5775 https://access.redhat.com/errata/RHSA-2022:5775
Comment 18 errata-xmlrpc 2022-08-01 16:04:43 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2022:5799 https://access.redhat.com/errata/RHSA-2022:5799
Comment 19 errata-xmlrpc 2022-08-02 09:54:12 UTC 
This issue has been addressed in the following products:

  Red Hat Developer Tools

Via RHSA-2022:5866 https://access.redhat.com/errata/RHSA-2022:5866
Comment 22 errata-xmlrpc 2022-08-10 11:38:09 UTC 
This issue has been addressed in the following products:

  Openshift Serverless 1 on RHEL 8

Via RHSA-2022:6042 https://access.redhat.com/errata/RHSA-2022:6042
Comment 23 errata-xmlrpc 2022-08-10 13:17:09 UTC 
This issue has been addressed in the following products:

  Openshift Serveless 1.24

Via RHSA-2022:6040 https://access.redhat.com/errata/RHSA-2022:6040
Comment 25 errata-xmlrpc 2022-08-31 18:49:46 UTC 
This issue has been addressed in the following products:

  OSSM-2.2-RHEL-8

Via RHSA-2022:6283 https://access.redhat.com/errata/RHSA-2022:6283
Comment 26 errata-xmlrpc 2022-09-01 05:42:08 UTC 
This issue has been addressed in the following products:

  OSSO-1.1-RHEL-8

Via RHSA-2022:6152 https://access.redhat.com/errata/RHSA-2022:6152
Comment 27 errata-xmlrpc 2022-09-06 12:59:20 UTC 
This issue has been addressed in the following products:

  Red Hat Advanced Cluster Management for Kubernetes 2.6 for RHEL 8

Via RHSA-2022:6347 https://access.redhat.com/errata/RHSA-2022:6347
Comment 28 errata-xmlrpc 2022-09-06 13:03:23 UTC 
This issue has been addressed in the following products:

  Red Hat Advanced Cluster Management for Kubernetes 2.6 for RHEL 8

Via RHSA-2022:6346 https://access.redhat.com/errata/RHSA-2022:6346
Comment 29 errata-xmlrpc 2022-09-06 13:43:46 UTC 
This issue has been addressed in the following products:

  Red Hat Advanced Cluster Management for Kubernetes 2.5 for RHEL 8

Via RHSA-2022:6348 https://access.redhat.com/errata/RHSA-2022:6348
Comment 30 errata-xmlrpc 2022-09-06 14:35:23 UTC 
This issue has been addressed in the following products:

  multicluster engine for Kubernetes 2.1 for RHEL 8

Via RHSA-2022:6345 https://access.redhat.com/errata/RHSA-2022:6345
Comment 31 errata-xmlrpc 2022-09-06 22:30:19 UTC 
This issue has been addressed in the following products:

  Red Hat Advanced Cluster Management for Kubernetes 2.6 for RHEL 8

Via RHSA-2022:6370 https://access.redhat.com/errata/RHSA-2022:6370
Comment 36 errata-xmlrpc 2022-10-25 09:30:19 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2022:7129 https://access.redhat.com/errata/RHSA-2022:7129
Comment 39 errata-xmlrpc 2022-11-08 09:24:53 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2022:7519 https://access.redhat.com/errata/RHSA-2022:7519
Comment 40 errata-xmlrpc 2022-11-08 10:00:43 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2022:7648 https://access.redhat.com/errata/RHSA-2022:7648
Comment 41 errata-xmlrpc 2022-11-15 10:07:35 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2022:8057 https://access.redhat.com/errata/RHSA-2022:8057
Comment 42 errata-xmlrpc 2022-11-15 10:44:24 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2022:8250 https://access.redhat.com/errata/RHSA-2022:8250
Comment 43 errata-xmlrpc 2022-11-28 02:51:40 UTC 
This issue has been addressed in the following products:

  OADP-1.1-RHEL-8

Via RHSA-2022:8634 https://access.redhat.com/errata/RHSA-2022:8634
Comment 45 errata-xmlrpc 2022-12-15 01:58:20 UTC 
This issue has been addressed in the following products:

  Red Hat Migration Toolkit for Containers 1.7

Via RHSA-2022:9047 https://access.redhat.com/errata/RHSA-2022:9047
Comment 59 errata-xmlrpc 2023-01-24 12:49:44 UTC 
This issue has been addressed in the following products:

  RHEL-8-CNV-4.12
  RHEL-7-CNV-4.12

Via RHSA-2023:0407 https://access.redhat.com/errata/RHSA-2023:0407
Comment 60 errata-xmlrpc 2023-01-24 13:35:37 UTC 
This issue has been addressed in the following products:

  RHEL-8-CNV-4.12

Via RHSA-2023:0408 https://access.redhat.com/errata/RHSA-2023:0408
Comment 70 errata-xmlrpc 2023-03-06 18:40:03 UTC 
This issue has been addressed in the following products:

  OpenShift Custom Metrics Autoscaler 2

Via RHSA-2023:1042 https://access.redhat.com/errata/RHSA-2023:1042
Comment 72 errata-xmlrpc 2023-03-15 19:55:41 UTC 
This issue has been addressed in the following products:

  Red Hat OpenStack Platform 16.1
  Red Hat OpenStack Platform 16.2

Via RHSA-2023:1275 https://access.redhat.com/errata/RHSA-2023:1275
Comment 74 errata-xmlrpc 2023-05-09 07:34:52 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2023:2357 https://access.redhat.com/errata/RHSA-2023:2357
Comment 76 errata-xmlrpc 2023-05-16 08:09:10 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2023:2758 https://access.redhat.com/errata/RHSA-2023:2758
Comment 77 errata-xmlrpc 2023-05-16 08:13:53 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2023:2802 https://access.redhat.com/errata/RHSA-2023:2802
Comment 78 Product Security DevOps Team 2023-05-17 00:36:16 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2022-30635
Comment 79 errata-xmlrpc 2023-06-15 16:00:29 UTC 
This issue has been addressed in the following products:

  Red Hat Ceph Storage 6.1

Via RHSA-2023:3642 https://access.redhat.com/errata/RHSA-2023:3642
Comment 80 errata-xmlrpc 2023-06-22 19:51:41 UTC 
This issue has been addressed in the following products:

  RHODF-4.13-RHEL-9

Via RHSA-2023:3742 https://access.redhat.com/errata/RHSA-2023:3742