Bug 2279814 (CVE-2024-24788)

Summary: CVE-2024-24788 golang: net: malformed DNS message can cause infinite loop
Product: [Other] Security Response Reporter: Avinash Hanwate <ahanwate>
Component: vulnerabilityAssignee: Product Security <prodsec-ir-bot>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: aazores, abarbaro, abishop, adudiak, akostadi, alcohan, amasferr, amctagga, anjoseph, ansmith, aoconnor, apevec, asatyam, bdettelb, bniver, bodavis, brking, caswilli, cbartlet, cdaley, chazlett, cmah, danken, davidn, dbenoit, dfreiber, dhanak, diagrawa, dkenigsb, dmayorov, doconnor, dperaza, drow, dsimansk, dymurray, eaguilar, ebaron, eglynn, emachado, epacific, fdeutsch, fjansen, flucifre, ganandan, gkamathe, gmeno, gparvin, gsuckevi, haoli, hkataria, ibolton, jajackso, jburrell, jcammara, jcantril, jchui, jdobes, jhardy, jhe, jjoyce, jkang, jkoehler, jlledo, jmatthew, jmitchel, jmontleo, jneedle, jobarker, joelsmith, jolong, jpallich, jprabhak, jschluet, kaycoth, kegrant, kholdawa, kingland, koliveir, kshier, ktsao, kverlaen, lbainbri, lchilton, lcouzens, lhh, lmadsen, lsvaty, mabashia, manissin, matzew, mbenjamin, mbocek, mburns, mgarciac, mhackett, mkudlej, mmagr, mmakovy, mnewsome, mnovotny, mrajanna, mrunge, mskarbek, mwringe, nboldt, njean, nobody, odf-bz-bot, omaciel, orabin, oramraz, owatkins, pahickey, pbraun, peholase, pgaikwad, pgrist, phoracek, pierdipi, pjindal, psegedy, psrna, relrod, rguimara, rhaigner, rhos-maint, rhuss, rjohnson, rojacob, rtaniwa, sabiswas, saroy, sausingh, sdawley, sfeifer, sfroberg, shvarugh, sidakwo, simaishi, sipoyare, skontopo, slucidi, smcdonal, smullick, sostapov, spandura, sseago, stcannon, stirabos, teagle, tfister, thason, thavo, tjochec, tkral, vereddy, vimartin, vkumar, whayutin, wtam, yguenane, zsadeh
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Go 1.22.3, Go 1.21.10 Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the net package of the Go stdlib. When a malformed DNS message is received as a response to a query, the Lookup functions within the net package can get stuck in an infinite loop. This issue can lead to resource exhaustion and denial of service (DoS) conditions.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2279829, 2279830, 2279832, 2279833, 2349922, 2279815, 2279816, 2279820, 2279821, 2279822, 2279823, 2279824, 2279825, 2279826, 2279827, 2279828, 2279831, 2279834, 2279835, 2279836, 2279837, 2279838    
Bug Blocks: 2279819    

Description Avinash Hanwate 2024-05-09 04:35:05 UTC 
A malformed DNS message in response to a query can cause the Lookup functions to get stuck in an infinite loop.

https://go.dev/cl/578375
https://go.dev/issue/66754
https://groups.google.com/g/golang-announce/c/wkkO4P9stm0
https://pkg.go.dev/vuln/GO-2024-2824
Comment 1 Avinash Hanwate 2024-05-09 04:40:37 UTC 
Created golang tracking bugs for this issue:

Affects: epel-all [bug 2279815]
Affects: fedora-all [bug 2279816]
Comment 9 errata-xmlrpc 2024-07-22 10:11:24 UTC 
This issue has been addressed in the following products:

  Cryostat 3 on RHEL 8

Via RHSA-2024:4697 https://access.redhat.com/errata/RHSA-2024:4697
Comment 10 errata-xmlrpc 2024-07-24 18:53:17 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.16

Via RHSA-2024:4613 https://access.redhat.com/errata/RHSA-2024:4613
Comment 11 errata-xmlrpc 2024-07-24 19:09:25 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.16

Via RHSA-2024:4616 https://access.redhat.com/errata/RHSA-2024:4616
Comment 12 errata-xmlrpc 2024-07-25 14:44:25 UTC 
This issue has been addressed in the following products:

  RHOSS-1.33-RHEL-8

Via RHSA-2024:4872 https://access.redhat.com/errata/RHSA-2024:4872
Comment 13 errata-xmlrpc 2024-08-01 19:11:11 UTC 
This issue has been addressed in the following products:

  OADP-1.3-RHEL-9

Via RHSA-2024:4982 https://access.redhat.com/errata/RHSA-2024:4982
Comment 15 errata-xmlrpc 2024-08-13 15:25:25 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2024:5291 https://access.redhat.com/errata/RHSA-2024:5291
Comment 16 errata-xmlrpc 2024-08-19 07:41:58 UTC 
This issue has been addressed in the following products:

  RHODF-4.16-RHEL-9

Via RHSA-2024:5547 https://access.redhat.com/errata/RHSA-2024:5547
Comment 19 errata-xmlrpc 2024-09-03 11:45:35 UTC 
This issue has been addressed in the following products:

  OPENSHIFT-BUILDS-1.1-RHEL-8

Via RHSA-2024:6221 https://access.redhat.com/errata/RHSA-2024:6221
Comment 20 errata-xmlrpc 2024-09-09 00:49:16 UTC 
This issue has been addressed in the following products:

  Cost Management for RHEL 8

Via RHSA-2024:6462 https://access.redhat.com/errata/RHSA-2024:6462
Comment 21 errata-xmlrpc 2024-09-18 16:04:05 UTC 
This issue has been addressed in the following products:

  Red Hat Ansible Automation Platform 2.4 for RHEL 9
  Red Hat Ansible Automation Platform 2.4 for RHEL 8

Via RHSA-2024:6765 https://access.redhat.com/errata/RHSA-2024:6765
Comment 22 errata-xmlrpc 2024-09-24 03:21:38 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2024:6969 https://access.redhat.com/errata/RHSA-2024:6969
Comment 23 errata-xmlrpc 2024-09-26 03:47:27 UTC 
This issue has been addressed in the following products:

  Red Hat Migration Toolkit for Containers 1.8

Via RHSA-2024:7164 https://access.redhat.com/errata/RHSA-2024:7164
Comment 26 errata-xmlrpc 2024-10-23 00:30:35 UTC 
This issue has been addressed in the following products:

  KDO-5.1-RHEL-9

Via RHSA-2024:6341 https://access.redhat.com/errata/RHSA-2024:6341
Comment 27 errata-xmlrpc 2024-11-12 08:41:41 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2024:9089 https://access.redhat.com/errata/RHSA-2024:9089
Comment 28 errata-xmlrpc 2024-11-12 08:45:28 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2024:9098 https://access.redhat.com/errata/RHSA-2024:9098
Comment 29 errata-xmlrpc 2024-11-12 08:48:18 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2024:9115 https://access.redhat.com/errata/RHSA-2024:9115
Comment 30 errata-xmlrpc 2024-11-12 08:54:49 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2024:9135 https://access.redhat.com/errata/RHSA-2024:9135
Comment 31 errata-xmlrpc 2024-11-12 09:05:18 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2024:9200 https://access.redhat.com/errata/RHSA-2024:9200
Comment 32 errata-xmlrpc 2024-11-12 09:10:32 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2024:9277 https://access.redhat.com/errata/RHSA-2024:9277
Comment 33 errata-xmlrpc 2024-11-13 13:15:58 UTC 
This issue has been addressed in the following products:

  Red Hat OpenStack Services on OpenShift PODIFIED 1.0

Via RHSA-2024:9485 https://access.redhat.com/errata/RHSA-2024:9485