Bug 2107390 (CVE-2022-28131)

Summary: CVE-2022-28131 golang: encoding/xml: stack exhaustion in Decoder.Skip
Product: [Other] Security Response Reporter: Anten Skrabec <askrabec>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: acui, adam.kaplan, adudiak, agarcial, agerstmayr, akashem, akostadi, akoutsou, alcohan, amackenz, amasferr, amctagga, amurdaca, andrew.jeddeloh, anjoseph, anpicker, ansmith, aoconnor, aos-network-edge-staff, aos-odin-bot, aputtur, asm, athoscribeiro, bbaude, bbennett, bcoca, bdettelb, bgilbert, bkundu, blaise, bmontgom, bniver, bodavis, bperkins, bradley.g.smith, bthurber, cbartlet, cdaley, chazlett, chousekn, cmeyers, code, container-sig, crizzo, dagray, davide, davidn, dbenoit, debarshir, deparker, dfreiber, dhanak, dmayorov, doconnor, dornelas, dperaza, drosa, drow, dsimansk, dustymabe, dwalsh, dwd, dwest, dwhatley, dymurray, ebakerupw, eclipseo, eglynn, emachado, eparis, fdeutsch, filbranden, flucifre, gblomqui, gmeno, go-sig, gparvin, grafana-maint, haoli, hkataria, ibolton, ijolliff, inoton, jacding, jaharrin, jajackso, jbalunas, jburrell, jcajka, jcammara, jchaloup, jchui, jeder, jhadvig, jhardy, jhrozek, jitsingh, jjoyce, jligon, jlledo, jmatthew, jmencak, jmitchel, jmontleo, jneedle, jnovy, jobarker, jonathan, jpadman, jprabhak, jramanat, jschluet, jwendell, jwon, kegrant, kingland, koliveir, kshier, kverlaen, lball, lbragsta, lchilton, lemenkov, lhh, lmeyer, lsm5, lsvaty, mabashia, maciek.borzecki, manissin, mark.e.fuller, matzew, maxwell, mbenjamin, mburns, mcressma, me, me, mfojtik, mgarciac, mgoodwin, mhackett, mheon, miabbott, michel, mkudlej, mmakovy, mnewsome, mnovotny, mrussell, mwringe, nathans, ngompa13, njean, nobody, notting, nparekh, nstielau, obudai, obulatov, ocp-storage-bot, ocs-bugs, o.lemasle, openshift-release-oversight, oramraz, osapryki, osbuilders, oskutka, owatkins, pahickey, patrick, pbraun, pegoncal, peholase, pehunt, pgaikwad, pgrist, pjindal, pknezevi, ploffay, pthomas, quantum.analyst, rcernich, redhat, relrod, rhaigner, rh.container.bot, rhcos-sst, rhcos-triage, rhos-maint, rhuss, rjohnson, rpetrell, rphillips, ryncsn, sanchezl, santiago, saroy, sausingh, scorneli, sdoran, sejug, sfeifer, sgott, shvarugh, simaishi, sipoyare, skunkerk, slaznick, slucidi, smcdonal, smullick, sostapov, spandura, spasquie, sponnaga, spower, spresti, sseago, ssteinbe, stcannon, stirabos, surbania, teagle, team-winc-bot, tfister, tgunders, thason, thavo, tjochec, tkuratom, travier, tsedovic, tstellar, tsweeney, twalsh, umohnani, user-cont-team+packit-fas, vereddy, vkumar, walters, wenshen, whayutin, wtam, xiyuan, xxia, yanqiyu01, yguenane, zdohnal
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: golang 1.18.4, golang 1.17.12 Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in golang encoding/xml. When calling Decoder, Skip while parsing a deeply nested XML document, a panic can occur due to stack exhaustion and allows an attacker to impact system availability.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2023-05-17 00:37:39 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2115482, 2107391, 2109914, 2109915, 2109916, 2109917, 2110320, 2111001, 2111496, 2111746, 2111747, 2111758, 2111759, 2111760, 2111765, 2111766, 2111767, 2111786, 2112009, 2112010, 2115483, 2115484, 2115485, 2115486, 2115487, 2115488, 2115489, 2115490, 2115491, 2115492, 2115493, 2115494, 2123509, 2123510, 2123514, 2123748, 2123750, 2123754    
Bug Blocks: 2108717    

Description Anten Skrabec 2022-07-14 21:40:32 UTC 
Calling Decoder.Skip when parsing a deeply nested XML document can cause a panic due to stack exhaustion.
Comment 1 Anten Skrabec 2022-07-14 21:40:52 UTC 
Created golang tracking bugs for this issue:

Affects: fedora-all [bug 2107391]
Comment 5 Avinash Hanwate 2022-07-25 08:15:08 UTC 
Created golang tracking bugs for this issue:

Affects: epel-all [bug 2110320]
Comment 17 errata-xmlrpc 2022-08-01 12:04:53 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2022:5775 https://access.redhat.com/errata/RHSA-2022:5775
Comment 18 errata-xmlrpc 2022-08-01 16:04:57 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2022:5799 https://access.redhat.com/errata/RHSA-2022:5799
Comment 19 errata-xmlrpc 2022-08-02 09:54:21 UTC 
This issue has been addressed in the following products:

  Red Hat Developer Tools

Via RHSA-2022:5866 https://access.redhat.com/errata/RHSA-2022:5866
Comment 23 errata-xmlrpc 2022-08-10 11:38:13 UTC 
This issue has been addressed in the following products:

  Openshift Serverless 1 on RHEL 8

Via RHSA-2022:6042 https://access.redhat.com/errata/RHSA-2022:6042
Comment 24 errata-xmlrpc 2022-08-10 13:17:16 UTC 
This issue has been addressed in the following products:

  Openshift Serveless 1.24

Via RHSA-2022:6040 https://access.redhat.com/errata/RHSA-2022:6040
Comment 27 errata-xmlrpc 2022-08-18 15:11:43 UTC 
This issue has been addressed in the following products:

  Application Interconnect 1 for RHEL 8

Via RHSA-2022:6113 https://access.redhat.com/errata/RHSA-2022:6113
Comment 28 errata-xmlrpc 2022-08-25 11:22:03 UTC 
This issue has been addressed in the following products:

  Node Maintenance Operator 4.11 for RHEL 8

Via RHSA-2022:6188 https://access.redhat.com/errata/RHSA-2022:6188
Comment 29 errata-xmlrpc 2022-08-31 18:49:58 UTC 
This issue has been addressed in the following products:

  OSSM-2.2-RHEL-8

Via RHSA-2022:6283 https://access.redhat.com/errata/RHSA-2022:6283
Comment 30 errata-xmlrpc 2022-09-01 05:42:08 UTC 
This issue has been addressed in the following products:

  OSSO-1.1-RHEL-8

Via RHSA-2022:6152 https://access.redhat.com/errata/RHSA-2022:6152
Comment 31 errata-xmlrpc 2022-09-06 12:59:45 UTC 
This issue has been addressed in the following products:

  Red Hat Advanced Cluster Management for Kubernetes 2.6 for RHEL 8

Via RHSA-2022:6347 https://access.redhat.com/errata/RHSA-2022:6347
Comment 32 errata-xmlrpc 2022-09-06 13:03:47 UTC 
This issue has been addressed in the following products:

  Red Hat Advanced Cluster Management for Kubernetes 2.6 for RHEL 8

Via RHSA-2022:6346 https://access.redhat.com/errata/RHSA-2022:6346
Comment 33 errata-xmlrpc 2022-09-06 13:44:09 UTC 
This issue has been addressed in the following products:

  Red Hat Advanced Cluster Management for Kubernetes 2.5 for RHEL 8

Via RHSA-2022:6348 https://access.redhat.com/errata/RHSA-2022:6348
Comment 34 errata-xmlrpc 2022-09-06 14:35:27 UTC 
This issue has been addressed in the following products:

  multicluster engine for Kubernetes 2.1 for RHEL 8

Via RHSA-2022:6345 https://access.redhat.com/errata/RHSA-2022:6345
Comment 35 errata-xmlrpc 2022-09-06 22:30:42 UTC 
This issue has been addressed in the following products:

  Red Hat Advanced Cluster Management for Kubernetes 2.6 for RHEL 8

Via RHSA-2022:6370 https://access.redhat.com/errata/RHSA-2022:6370
Comment 42 errata-xmlrpc 2022-11-08 09:24:56 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2022:7519 https://access.redhat.com/errata/RHSA-2022:7519
Comment 43 errata-xmlrpc 2022-11-08 09:29:33 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2022:7529 https://access.redhat.com/errata/RHSA-2022:7529
Comment 44 errata-xmlrpc 2022-11-15 10:07:50 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2022:8057 https://access.redhat.com/errata/RHSA-2022:8057
Comment 47 errata-xmlrpc 2022-12-15 01:58:26 UTC 
This issue has been addressed in the following products:

  Red Hat Migration Toolkit for Containers 1.7

Via RHSA-2022:9047 https://access.redhat.com/errata/RHSA-2022:9047
Comment 62 errata-xmlrpc 2023-01-24 12:49:58 UTC 
This issue has been addressed in the following products:

  RHEL-8-CNV-4.12
  RHEL-7-CNV-4.12

Via RHSA-2023:0407 https://access.redhat.com/errata/RHSA-2023:0407
Comment 63 errata-xmlrpc 2023-01-24 13:35:46 UTC 
This issue has been addressed in the following products:

  RHEL-8-CNV-4.12

Via RHSA-2023:0408 https://access.redhat.com/errata/RHSA-2023:0408
Comment 72 errata-xmlrpc 2023-03-06 18:40:20 UTC 
This issue has been addressed in the following products:

  OpenShift Custom Metrics Autoscaler 2

Via RHSA-2023:1042 https://access.redhat.com/errata/RHSA-2023:1042
Comment 75 errata-xmlrpc 2023-05-16 08:09:22 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2023:2758 https://access.redhat.com/errata/RHSA-2023:2758
Comment 76 errata-xmlrpc 2023-05-16 08:14:00 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2023:2802 https://access.redhat.com/errata/RHSA-2023:2802
Comment 78 Product Security DevOps Team 2023-05-17 00:37:32 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2022-28131
Comment 79 errata-xmlrpc 2023-06-15 16:00:43 UTC 
This issue has been addressed in the following products:

  Red Hat Ceph Storage 6.1

Via RHSA-2023:3642 https://access.redhat.com/errata/RHSA-2023:3642