Bug 2134010 (CVE-2022-32149)

Summary: CVE-2022-32149 golang: golang.org/x/text/language: ParseAcceptLanguage takes a long time to parse complex tags
Product: [Other] Security Response Reporter: TEJ RATHI <trathi>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: alazar, amurdaca, aoconnor, bbaude, bdettelb, bniver, dcadzow, deparker, dkenigsb, dwalsh, dwd, dwhatley, dymurray, eduardo.ramalho, fdeutsch, flucifre, gmeno, go-sig, gparvin, ibolton, jburrell, jcajka, jcantril, jligon, jmatthew, jmontleo, jnovy, joelsmith, jramanat, jwendell, lemenkov, lgamliel, lsm5, maxwell, mbenjamin, mboddu, mfilanov, mhackett, mheon, njean, ocs-bugs, oramraz, osbuilders, oskutka, pahickey, periklis, pthomas, rcernich, rfreiman, sgott, slucidi, smullick, sostapov, sseago, stcannon, tsweeney, twalsh, umohnani, vereddy, vkumar, whayutin
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: golang.org/x/text 0.3.8 Doc Type: If docs needed, set a value
Doc Text:
A vulnerability was found in the golang.org/x/text/language package. An attacker can craft an Accept-Language header which ParseAcceptLanguage will take significant time to parse. This issue leads to a denial of service, and can impact availability.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2023-03-06 22:24:43 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2134335, 2134336, 2134926, 2134927, 2134928, 2134929, 2134930, 2134933, 2134934, 2135218, 2135219, 2135220, 2135221, 2135222, 2135223, 2149958, 2217701, 2217702    
Bug Blocks: 2134011    

Description TEJ RATHI 2022-10-12 06:41:02 UTC 
A vulnerability was found in golang.org/x/text/language package which could cause a denial of service. An attacker can craft an Accept-Language header which ParseAcceptLanguage will take significant time to parse.
Version v0.3.8 of golang.org/x/text fixes a vulnerability.

References:
https://groups.google.com/g/golang-dev/c/qfPIly0X7aU.
https://go.dev/issue/56152.

Upstream Commit:
https://github.com/golang/text/commit/434eadcdbc3b0256971992e8c70027278364c72c
Comment 6 errata-xmlrpc 2022-11-03 13:32:46 UTC 
This issue has been addressed in the following products:

  OpenShift Developer Tools and Services for OCP 4.9

Via RHSA-2022:7407 https://access.redhat.com/errata/RHSA-2022:7407
Comment 7 errata-xmlrpc 2022-11-09 16:44:07 UTC 
This issue has been addressed in the following products:

  OpenShift Logging 5.3

Via RHSA-2022:6882 https://access.redhat.com/errata/RHSA-2022:6882
Comment 8 errata-xmlrpc 2022-11-10 03:50:31 UTC 
This issue has been addressed in the following products:

  RHOL-5.5-RHEL-8

Via RHSA-2022:7434 https://access.redhat.com/errata/RHSA-2022:7434
Comment 9 errata-xmlrpc 2022-11-16 12:14:11 UTC 
This issue has been addressed in the following products:

  Logging subsystem for Red Hat OpenShift 5.4

Via RHSA-2022:7435 https://access.redhat.com/errata/RHSA-2022:7435
Comment 21 errata-xmlrpc 2023-01-26 21:23:50 UTC 
This issue has been addressed in the following products:

  Red Hat Advanced Cluster Management for Kubernetes 2.5 for RHEL 8

Via RHSA-2023:0481 https://access.redhat.com/errata/RHSA-2023:0481
Comment 27 errata-xmlrpc 2023-02-09 01:07:29 UTC 
This issue has been addressed in the following products:

  OADP-1.0-RHEL-8

Via RHSA-2023:0692 https://access.redhat.com/errata/RHSA-2023:0692
Comment 28 errata-xmlrpc 2023-02-09 02:17:38 UTC 
This issue has been addressed in the following products:

  Red Hat Migration Toolkit for Containers 1.7

Via RHSA-2023:0693 https://access.redhat.com/errata/RHSA-2023:0693
Comment 29 errata-xmlrpc 2023-02-15 21:47:18 UTC 
This issue has been addressed in the following products:

  Red Hat Advanced Cluster Management for Kubernetes 2.6 for RHEL 8

Via RHSA-2023:0795 https://access.redhat.com/errata/RHSA-2023:0795
Comment 31 errata-xmlrpc 2023-03-06 18:40:57 UTC 
This issue has been addressed in the following products:

  OpenShift Custom Metrics Autoscaler 2

Via RHSA-2023:1042 https://access.redhat.com/errata/RHSA-2023:1042
Comment 32 Product Security DevOps Team 2023-03-06 22:24:38 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2022-32149
Comment 34 errata-xmlrpc 2023-05-18 00:36:35 UTC 
This issue has been addressed in the following products:

  RHEL-9-CNV-4.13
  RHEL-7-CNV-4.13
  RHEL-8-CNV-4.13

Via RHSA-2023:3204 https://access.redhat.com/errata/RHSA-2023:3204
Comment 35 errata-xmlrpc 2023-05-18 02:55:33 UTC 
This issue has been addressed in the following products:

  RHEL-9-CNV-4.13

Via RHSA-2023:3205 https://access.redhat.com/errata/RHSA-2023:3205
Comment 36 errata-xmlrpc 2023-06-26 01:16:06 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.12

Via RHSA-2023:3613 https://access.redhat.com/errata/RHSA-2023:3613
Comment 37 Dhananjay Arunesh 2023-06-26 23:22:51 UTC 
Created golang tracking bugs for this issue:

Affects: epel-all [bug 2217701]
Affects: fedora-all [bug 2217702]
Comment 40 errata-xmlrpc 2024-04-23 14:07:23 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.6 Extended Update Support

Via RHSA-2024:1994 https://access.redhat.com/errata/RHSA-2024:1994
Comment 41 errata-xmlrpc 2024-04-29 00:26:20 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.8 Extended Update Support

Via RHSA-2024:2077 https://access.redhat.com/errata/RHSA-2024:2077