Bug 2268046 (CVE-2024-24786)

Summary: CVE-2024-24786 golang-protobuf: encoding/protojson, internal/encoding/json: infinite loop in protojson.Unmarshal when unmarshaling certain forms of invalid JSON
Product: [Other] Security Response Reporter: TEJ RATHI <trathi>
Component: vulnerabilityAssignee: Product Security <prodsec-ir-bot>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: abishop, alcohan, amctagga, anjoseph, anthomas, aoconnor, asatyam, asherlan, bbuckingham, bcourt, bdettelb, bniver, danken, dfreiber, dhanak, dhellmann, dholler, diagrawa, dkenigsb, doconnor, drosa, drow, dsimansk, dymurray, eglynn, ehelms, fdeutsch, flucifre, ggainey, ggiguash, gkamathe, gmeno, gparvin, ibolton, jburrell, jcantril, jforrest, jjoyce, jkoehler, jmatthew, jmontleo, joelsmith, jprabhak, jschluet, jshaughn, jsherril, juwatts, jwendell, kingland, kverlaen, lbainbri, lchilton, lhh, lphiri, lsvaty, lzap, manissin, matzew, mbenjamin, mbocek, mburns, mgarciac, mhackett, mhulan, mnovotny, mrajanna, muagarwa, mwringe, njean, nmoumoul, odf-bz-bot, orabin, oramraz, osousa, owatkins, pahickey, pcreech, pgaikwad, pgrist, phoracek, pierdipi, rcernich, rchan, rguimara, rhaigner, rhuss, rjohnson, rojacob, sabiswas, sakbas, sapillai, sausingh, sdawley, sfeifer, shbose, sidakwo, sipoyare, slucidi, smallamp, smullick, sostapov, spandura, sseago, stirabos, teagle, thason, tnielsen, twalsh, vereddy, vkumar, whayutin, wtam
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: google.golang.org/protobuf 1.33.0 Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in Golang's protobuf module, where the unmarshal function can enter an infinite loop when processing certain invalid inputs. This issue occurs during unmarshaling into a message that includes a google.protobuf.Any or when the UnmarshalOptions.DiscardUnknown option is enabled. This flaw allows an attacker to craft malicious input tailored to trigger the identified flaw in the unmarshal function. By providing carefully constructed invalid inputs, they could potentially cause the function to enter an infinite loop, resulting in a denial of service condition or other unintended behaviors in the affected system.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2268125, 2268126, 2268127, 2268128, 2268129, 2268130, 2268134, 2268135, 2268141, 2268142, 2268143, 2268146, 2268147, 2268148, 2268157, 2268158, 2268159, 2268160, 2268161, 2268162, 2268163, 2268164, 2268165, 2268166, 2268167, 2275340, 2275341, 2291459, 2291460, 2306529, 2306533, 2306543, 2306545, 2306546, 2314791    
Bug Blocks: 2268169    

Description TEJ RATHI 2024-03-06 06:49:40 UTC 
The protojson.Unmarshal function can enter an infinite loop when unmarshaling certain forms of invalid JSON. This condition can occur when unmarshaling into a message which contains a google.protobuf.Any value, or when the UnmarshalOptions.DiscardUnknown option is set.

https://go.dev/cl/569356
https://pkg.go.dev/vuln/GO-2024-2611
Comment 19 TEJ RATHI 2024-03-13 03:51:44 UTC 
Update:

A small correction: This vulnerability applies when the UnmarshalOptions.DiscardUnknown option is set (as well as when unmarshaling into any message which contains a google.protobuf.Any). There is no UnmarshalUnknown option.

In addition, version 1.33.0 of google.golang.org/protobuf inadvertently introduced an incompatibility with the older github.com/golang/protobuf module. (https://github.com/golang/protobuf/issues/1596) Users of the older module should update to github.com/golang/prot....4.

- Damien, apologetically on behalf of the Go team. 

comment 0 and doctext updated for the same.
Comment 22 errata-xmlrpc 2024-03-19 22:12:02 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.15

Via RHSA-2024:1363 https://access.redhat.com/errata/RHSA-2024:1363
Comment 23 errata-xmlrpc 2024-03-20 11:40:34 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.14

Via RHSA-2024:1362 https://access.redhat.com/errata/RHSA-2024:1362
Comment 25 errata-xmlrpc 2024-03-27 00:41:35 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.13

Via RHSA-2024:1456 https://access.redhat.com/errata/RHSA-2024:1456
Comment 26 errata-xmlrpc 2024-03-27 00:41:50 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.14

Via RHSA-2024:1461 https://access.redhat.com/errata/RHSA-2024:1461
Comment 30 errata-xmlrpc 2024-03-27 14:21:31 UTC 
This issue has been addressed in the following products:

  RHOL-5.6-RHEL-8

Via RHSA-2024:1507 https://access.redhat.com/errata/RHSA-2024:1507
Comment 31 errata-xmlrpc 2024-03-27 14:39:45 UTC 
This issue has been addressed in the following products:

  RHOL-5.7-RHEL-8

Via RHSA-2024:1508 https://access.redhat.com/errata/RHSA-2024:1508
Comment 32 errata-xmlrpc 2024-03-27 15:01:02 UTC 
This issue has been addressed in the following products:

  RHOL-5.8-RHEL-9

Via RHSA-2024:1474 https://access.redhat.com/errata/RHSA-2024:1474
Comment 33 errata-xmlrpc 2024-03-27 15:03:44 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.13

Via RHSA-2024:1537 https://access.redhat.com/errata/RHSA-2024:1537
Comment 34 errata-xmlrpc 2024-03-27 15:07:32 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.12

Via RHSA-2024:1538 https://access.redhat.com/errata/RHSA-2024:1538
Comment 35 errata-xmlrpc 2024-04-02 19:33:34 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.15

Via RHSA-2024:1559 https://access.redhat.com/errata/RHSA-2024:1559
Comment 36 errata-xmlrpc 2024-04-02 21:38:03 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.15

Via RHSA-2024:1563 https://access.redhat.com/errata/RHSA-2024:1563
Comment 37 errata-xmlrpc 2024-04-03 07:36:31 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.12

Via RHSA-2024:1574 https://access.redhat.com/errata/RHSA-2024:1574
Comment 39 errata-xmlrpc 2024-04-03 18:44:15 UTC 
This issue has been addressed in the following products:

  Red Hat Advanced Cluster Management for Kubernetes 2.8 for RHEL 8

Via RHSA-2024:1665 https://access.redhat.com/errata/RHSA-2024:1665
Comment 41 errata-xmlrpc 2024-04-11 21:30:59 UTC 
This issue has been addressed in the following products:

  Red Hat Advanced Cluster Management for Kubernetes 2.10 for RHEL 9

Via RHSA-2024:1795 https://access.redhat.com/errata/RHSA-2024:1795
Comment 42 errata-xmlrpc 2024-04-16 17:27:07 UTC 
This issue has been addressed in the following products:

  OADP-1.3-RHEL-9

Via RHSA-2024:1859 https://access.redhat.com/errata/RHSA-2024:1859
Comment 44 errata-xmlrpc 2024-04-18 01:55:31 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2024:1874 https://access.redhat.com/errata/RHSA-2024:1874
Comment 45 errata-xmlrpc 2024-04-18 12:41:20 UTC 
This issue has been addressed in the following products:

  Red Hat Migration Toolkit for Containers 1.8

Via RHSA-2024:1925 https://access.redhat.com/errata/RHSA-2024:1925
Comment 46 errata-xmlrpc 2024-04-30 14:37:26 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2024:2549 https://access.redhat.com/errata/RHSA-2024:2549
Comment 47 errata-xmlrpc 2024-05-01 02:44:52 UTC 
This issue has been addressed in the following products:

  Red Hat Migration Toolkit for Containers 1.7

Via RHSA-2024:2639 https://access.redhat.com/errata/RHSA-2024:2639
Comment 50 errata-xmlrpc 2024-05-09 15:00:27 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.14

Via RHSA-2024:2666 https://access.redhat.com/errata/RHSA-2024:2666
Comment 51 errata-xmlrpc 2024-05-15 18:44:03 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.15

Via RHSA-2024:2773 https://access.redhat.com/errata/RHSA-2024:2773
Comment 52 errata-xmlrpc 2024-05-16 16:12:16 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.12

Via RHSA-2024:2781 https://access.redhat.com/errata/RHSA-2024:2781
Comment 53 errata-xmlrpc 2024-05-22 11:38:17 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2024:3254 https://access.redhat.com/errata/RHSA-2024:3254
Comment 54 errata-xmlrpc 2024-05-23 06:22:25 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.13

Via RHSA-2024:2874 https://access.redhat.com/errata/RHSA-2024:2874
Comment 55 errata-xmlrpc 2024-05-23 06:40:05 UTC 
This issue has been addressed in the following products:

  MTA-7.0-RHEL-9
  MTA-7.0-RHEL-8

Via RHSA-2024:3316 https://access.redhat.com/errata/RHSA-2024:3316
Comment 56 errata-xmlrpc 2024-06-05 05:15:54 UTC 
This issue has been addressed in the following products:

  Red Hat Openshift distributed tracing 3.2

Via RHSA-2024:3621 https://access.redhat.com/errata/RHSA-2024:3621
Comment 57 errata-xmlrpc 2024-06-05 14:44:08 UTC 
This issue has been addressed in the following products:

  OCP-Tools-4.13-RHEL-8

Via RHSA-2024:3636 https://access.redhat.com/errata/RHSA-2024:3636
Comment 58 errata-xmlrpc 2024-06-05 14:44:29 UTC 
This issue has been addressed in the following products:

  OCP-Tools-4.14-RHEL-8

Via RHSA-2024:3634 https://access.redhat.com/errata/RHSA-2024:3634
Comment 59 errata-xmlrpc 2024-06-05 14:45:11 UTC 
This issue has been addressed in the following products:

  OCP-Tools-4.12-RHEL-8

Via RHSA-2024:3635 https://access.redhat.com/errata/RHSA-2024:3635
Comment 60 errata-xmlrpc 2024-06-06 12:25:35 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Service Mesh 2.5 for RHEL 8

Via RHSA-2024:3683 https://access.redhat.com/errata/RHSA-2024:3683
Comment 62 errata-xmlrpc 2024-06-12 07:30:51 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.12

Via RHSA-2024:3715 https://access.redhat.com/errata/RHSA-2024:3715
Comment 63 Dhananjay Arunesh 2024-06-12 08:26:25 UTC 
Created golang tracking bugs for this issue:

Affects: epel-all [bug 2291459]
Affects: fedora-all [bug 2291460]
Comment 65 errata-xmlrpc 2024-06-17 00:44:17 UTC 
This issue has been addressed in the following products:

  NETWORK-OBSERVABILITY-1.6.0-RHEL-9

Via RHSA-2024:3868 https://access.redhat.com/errata/RHSA-2024:3868
Comment 66 errata-xmlrpc 2024-06-20 13:20:25 UTC 
This issue has been addressed in the following products:

  RHOSS-1.33-RHEL-8

Via RHSA-2024:4028 https://access.redhat.com/errata/RHSA-2024:4028
Comment 67 errata-xmlrpc 2024-06-27 10:52:24 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.16

Via RHSA-2024:0040 https://access.redhat.com/errata/RHSA-2024:0040
Comment 68 errata-xmlrpc 2024-06-27 11:24:11 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.16

Via RHSA-2024:0041 https://access.redhat.com/errata/RHSA-2024:0041
Comment 69 errata-xmlrpc 2024-06-27 12:38:15 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift GitOps 1.12
  Red Hat OpenShift GitOps 1.12 - RHEL 9

Via RHSA-2024:4163 https://access.redhat.com/errata/RHSA-2024:4163
Comment 70 errata-xmlrpc 2024-06-27 13:01:25 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.16

Via RHSA-2024:0045 https://access.redhat.com/errata/RHSA-2024:0045
Comment 71 errata-xmlrpc 2024-06-27 13:15:51 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.16

Via RHSA-2024:0043 https://access.redhat.com/errata/RHSA-2024:0043
Comment 72 errata-xmlrpc 2024-07-01 00:29:21 UTC 
This issue has been addressed in the following products:

  RODOO-1.1-RHEL-9

Via RHSA-2024:1616 https://access.redhat.com/errata/RHSA-2024:1616
Comment 73 errata-xmlrpc 2024-07-01 00:39:47 UTC 
This issue has been addressed in the following products:

  OSSO-1.3-RHEL-9

Via RHSA-2024:3637 https://access.redhat.com/errata/RHSA-2024:3637
Comment 74 errata-xmlrpc 2024-07-01 00:52:56 UTC 
This issue has been addressed in the following products:

  KDO-5.0-RHEL-9

Via RHSA-2024:3617 https://access.redhat.com/errata/RHSA-2024:3617
Comment 75 errata-xmlrpc 2024-07-02 15:24:33 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2024:4246 https://access.redhat.com/errata/RHSA-2024:4246
Comment 76 errata-xmlrpc 2024-07-02 16:44:11 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.15

Via RHSA-2024:4150 https://access.redhat.com/errata/RHSA-2024:4150
Comment 78 errata-xmlrpc 2024-07-10 12:41:04 UTC 
This issue has been addressed in the following products:

  RHEL-9-CNV-4.16

Via RHSA-2024:4455 https://access.redhat.com/errata/RHSA-2024:4455
Comment 80 errata-xmlrpc 2024-07-17 13:15:08 UTC 
This issue has been addressed in the following products:

  RHODF-4.16-RHEL-9

Via RHSA-2024:4591 https://access.redhat.com/errata/RHSA-2024:4591
Comment 81 errata-xmlrpc 2024-07-17 18:47:06 UTC 
This issue has been addressed in the following products:

  OCP-Tools-4.15-RHEL-8

Via RHSA-2024:4597 https://access.redhat.com/errata/RHSA-2024:4597
Comment 82 errata-xmlrpc 2024-07-18 13:37:45 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift GitOps 1.11

Via RHSA-2024:4626 https://access.redhat.com/errata/RHSA-2024:4626
Comment 83 errata-xmlrpc 2024-08-06 16:21:27 UTC 
This issue has been addressed in the following products:

  RHEL-9-CNV-4.16

Via RHSA-2024:5054 https://access.redhat.com/errata/RHSA-2024:5054
Comment 84 errata-xmlrpc 2024-08-20 15:21:48 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.16

Via RHSA-2024:5422 https://access.redhat.com/errata/RHSA-2024:5422
Comment 85 errata-xmlrpc 2024-09-03 11:45:27 UTC 
This issue has been addressed in the following products:

  OPENSHIFT-BUILDS-1.1-RHEL-8

Via RHSA-2024:6221 https://access.redhat.com/errata/RHSA-2024:6221
Comment 86 errata-xmlrpc 2024-09-03 19:14:28 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.16

Via RHSA-2024:6004 https://access.redhat.com/errata/RHSA-2024:6004
Comment 87 errata-xmlrpc 2024-09-11 13:41:57 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.15

Via RHSA-2024:6409 https://access.redhat.com/errata/RHSA-2024:6409
Comment 88 errata-xmlrpc 2024-09-24 15:28:03 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.16

Via RHSA-2024:6824 https://access.redhat.com/errata/RHSA-2024:6824
Comment 89 errata-xmlrpc 2024-10-01 01:42:37 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.17

Via RHSA-2024:3717 https://access.redhat.com/errata/RHSA-2024:3717
Comment 91 errata-xmlrpc 2024-10-01 17:30:08 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.17

Via RHSA-2024:3718 https://access.redhat.com/errata/RHSA-2024:3718
Comment 92 errata-xmlrpc 2024-10-03 11:01:30 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.14

Via RHSA-2024:7184 https://access.redhat.com/errata/RHSA-2024:7184
Comment 93 errata-xmlrpc 2024-10-14 01:36:32 UTC 
This issue has been addressed in the following products:

  CLUSTER-OBSERVABILITY-OPERATOR-0.4-RHEL-8

Via RHSA-2024:8040 https://access.redhat.com/errata/RHSA-2024:8040
Comment 94 errata-xmlrpc 2024-10-16 00:34:57 UTC 
This issue has been addressed in the following products:

  RODOO-1.2-RHEL-9

Via RHSA-2024:7548 https://access.redhat.com/errata/RHSA-2024:7548
Comment 95 errata-xmlrpc 2024-10-16 02:40:10 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.17

Via RHSA-2024:7922 https://access.redhat.com/errata/RHSA-2024:7922
Comment 96 errata-xmlrpc 2024-10-29 17:50:48 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.17

Via RHSA-2024:8434 https://access.redhat.com/errata/RHSA-2024:8434
Comment 97 errata-xmlrpc 2024-10-30 01:13:23 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.16

Via RHSA-2024:8415 https://access.redhat.com/errata/RHSA-2024:8415
Comment 98 errata-xmlrpc 2024-10-30 14:26:32 UTC 
This issue has been addressed in the following products:

  RHODF-4.17-RHEL-9

Via RHSA-2024:8676 https://access.redhat.com/errata/RHSA-2024:8676
Comment 99 errata-xmlrpc 2024-11-20 00:46:36 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.16

Via RHSA-2024:9615 https://access.redhat.com/errata/RHSA-2024:9615
Comment 100 errata-xmlrpc 2024-11-26 18:45:43 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.16

Via RHSA-2024:10147 https://access.redhat.com/errata/RHSA-2024:10147
Comment 103 errata-xmlrpc 2024-12-02 14:11:44 UTC 
This issue has been addressed in the following products:

  KDO-5.0-RHEL-9

Via RHSA-2024:8704 https://access.redhat.com/errata/RHSA-2024:8704
Comment 105 errata-xmlrpc 2025-01-23 13:02:48 UTC 
This issue has been addressed in the following products:

  RHOSS-1.35-RHEL-8

Via RHSA-2025:0664 https://access.redhat.com/errata/RHSA-2025:0664
Comment 106 errata-xmlrpc 2025-01-28 04:29:05 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.17

Via RHSA-2025:0654 https://access.redhat.com/errata/RHSA-2025:0654
Comment 107 errata-xmlrpc 2025-02-25 04:38:23 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.18

Via RHSA-2024:6122 https://access.redhat.com/errata/RHSA-2024:6122
Comment 108 errata-xmlrpc 2025-03-11 02:08:15 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.18

Via RHSA-2025:2449 https://access.redhat.com/errata/RHSA-2025:2449
Comment 115 errata-xmlrpc 2025-04-30 03:47:57 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.17

Via RHSA-2025:4204 https://access.redhat.com/errata/RHSA-2025:4204
Comment 118 errata-xmlrpc 2025-06-26 12:11:19 UTC 
This issue has been addressed in the following products:

  Red Hat Ceph Storage 8.1

Via RHSA-2025:9775 https://access.redhat.com/errata/RHSA-2025:9775