Bug 2310528 (CVE-2024-34156)

Summary: CVE-2024-34156 encoding/gob: golang: Calling Decoder.Decode on a message which contains deeply nested structures can cause a panic due to stack exhaustion
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: aazores, alcohan, amctagga, anjoseph, ansmith, aoconnor, bniver, brking, cchiang, chazlett, chfoley, cmah, crizzo, danken, dhanak, dholler, dsimansk, dymurray, eaguilar, ebaron, eglynn, fdeutsch, flucifre, gkamathe, gmeno, gparvin, haoli, hkataria, ibolton, jaharrin, jajackso, jburrell, jcammara, jcantril, jeder, jforrest, jjoyce, jkang, jkoehler, jmatthew, jmitchel, jmontleo, jneedle, jolong, jpallich, jprabhak, jschluet, jscholz, jwendell, kegrant, kingland, koliveir, kshier, kverlaen, lbainbri, lchilton, lgamliel, lhh, lphiri, lsvaty, mabashia, manissin, matzew, mbenjamin, mburns, mgarciac, mhackett, mijjapur, mnovotny, mwringe, njean, nobody, oramraz, owatkins, pahickey, pbraun, peholase, pgaikwad, pgrist, phoracek, pierdipi, pjindal, prodsec-dev, rcernich, rfreiman, rguimara, rhaigner, rhos-maint, rhuss, rjohnson, rojacob, saroy, sausingh, sdawley, sfeifer, sfroberg, shvarugh, simaishi, slucidi, smcdonal, smullick, sostapov, sseago, stcannon, stirabos, swoodman, teagle, tfister, thason, thavo, tsweeney, twalsh, vereddy, whayutin, wtam, yguenane
Target Milestone: ---Keywords: Security
Target Release: ---Flags: mijjapur: needinfo? (prodsec-dev)
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the encoding/gob package of the Golang standard library. Calling Decoder.Decoding, a message that contains deeply nested structures, can cause a panic due to stack exhaustion. This is a follow-up to CVE-2022-30635.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2310568, 2310570, 2310571, 2311673, 2310555, 2310556, 2310557, 2310558, 2310559, 2310560, 2310561, 2310562, 2310563, 2310564, 2310566, 2310567, 2310569, 2310573    
Bug Blocks:    

Description OSIDB Bzimport 2024-09-06 21:20:33 UTC 
Calling Decoder.Decode on a message which contains deeply nested structures can cause a panic due to stack exhaustion. This is a follow-up to CVE-2022-30635.
Comment 3 errata-xmlrpc 2024-09-23 01:37:08 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.2 Extended Update Support

Via RHSA-2024:6914 https://access.redhat.com/errata/RHSA-2024:6914
Comment 4 errata-xmlrpc 2024-09-23 01:47:13 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2024:6908 https://access.redhat.com/errata/RHSA-2024:6908
Comment 5 errata-xmlrpc 2024-09-23 01:47:54 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2024:6913 https://access.redhat.com/errata/RHSA-2024:6913
Comment 6 errata-xmlrpc 2024-09-23 01:52:39 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.8 Extended Update Support

Via RHSA-2024:6912 https://access.redhat.com/errata/RHSA-2024:6912
Comment 7 errata-xmlrpc 2024-09-23 18:35:48 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2024:6946 https://access.redhat.com/errata/RHSA-2024:6946
Comment 8 errata-xmlrpc 2024-09-23 18:43:53 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2024:6947 https://access.redhat.com/errata/RHSA-2024:6947
Comment 9 errata-xmlrpc 2024-09-25 11:26:49 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions

Via RHSA-2024:7102 https://access.redhat.com/errata/RHSA-2024:7102
Comment 10 errata-xmlrpc 2024-09-25 11:27:21 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions

Via RHSA-2024:7103 https://access.redhat.com/errata/RHSA-2024:7103
Comment 11 errata-xmlrpc 2024-09-25 18:28:34 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2024:7135 https://access.redhat.com/errata/RHSA-2024:7135
Comment 12 errata-xmlrpc 2024-09-25 18:35:59 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2024:7136 https://access.redhat.com/errata/RHSA-2024:7136
Comment 13 errata-xmlrpc 2024-09-26 11:27:52 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.2 Extended Update Support

Via RHSA-2024:7202 https://access.redhat.com/errata/RHSA-2024:7202
Comment 14 errata-xmlrpc 2024-09-26 11:41:08 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions

Via RHSA-2024:7208 https://access.redhat.com/errata/RHSA-2024:7208
Comment 15 errata-xmlrpc 2024-09-26 12:14:04 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support
  Red Hat Enterprise Linux 8.4 Telecommunications Update Service
  Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions

Via RHSA-2024:7205 https://access.redhat.com/errata/RHSA-2024:7205
Comment 16 errata-xmlrpc 2024-09-26 12:22:06 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2024:7204 https://access.redhat.com/errata/RHSA-2024:7204
Comment 17 errata-xmlrpc 2024-09-26 12:22:49 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.2 Extended Update Support

Via RHSA-2024:7207 https://access.redhat.com/errata/RHSA-2024:7207
Comment 18 errata-xmlrpc 2024-09-26 12:22:52 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.8 Extended Update Support

Via RHSA-2024:7206 https://access.redhat.com/errata/RHSA-2024:7206
Comment 19 errata-xmlrpc 2024-09-26 12:27:00 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.2 Extended Update Support

Via RHSA-2024:7203 https://access.redhat.com/errata/RHSA-2024:7203
Comment 21 errata-xmlrpc 2024-09-26 18:27:56 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support
  Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions
  Red Hat Enterprise Linux 8.6 Telecommunications Update Service

Via RHSA-2024:7261 https://access.redhat.com/errata/RHSA-2024:7261
Comment 22 errata-xmlrpc 2024-09-26 18:33:09 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2024:7262 https://access.redhat.com/errata/RHSA-2024:7262
Comment 23 errata-xmlrpc 2024-09-30 01:20:55 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions

Via RHSA-2024:7351 https://access.redhat.com/errata/RHSA-2024:7351
Comment 24 errata-xmlrpc 2024-09-30 01:21:14 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.2 Extended Update Support

Via RHSA-2024:7350 https://access.redhat.com/errata/RHSA-2024:7350
Comment 25 errata-xmlrpc 2024-10-01 11:29:17 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support
  Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions
  Red Hat Enterprise Linux 8.4 Telecommunications Update Service

Via RHSA-2024:7449 https://access.redhat.com/errata/RHSA-2024:7449
Comment 26 errata-xmlrpc 2024-10-01 14:54:44 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support
  Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions
  Red Hat Enterprise Linux 8.6 Telecommunications Update Service

Via RHSA-2024:7455 https://access.redhat.com/errata/RHSA-2024:7455
Comment 27 errata-xmlrpc 2024-10-01 14:55:03 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.8 Extended Update Support

Via RHSA-2024:7456 https://access.redhat.com/errata/RHSA-2024:7456
Comment 28 errata-xmlrpc 2024-10-02 00:32:06 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support
  Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions
  Red Hat Enterprise Linux 8.6 Telecommunications Update Service

Via RHSA-2024:7487 https://access.redhat.com/errata/RHSA-2024:7487
Comment 29 errata-xmlrpc 2024-10-02 00:32:30 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support
  Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions
  Red Hat Enterprise Linux 8.4 Telecommunications Update Service

Via RHSA-2024:7488 https://access.redhat.com/errata/RHSA-2024:7488
Comment 30 errata-xmlrpc 2024-10-02 00:37:25 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions

Via RHSA-2024:7485 https://access.redhat.com/errata/RHSA-2024:7485
Comment 31 errata-xmlrpc 2024-10-07 18:14:32 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.8 Extended Update Support

Via RHSA-2024:7769 https://access.redhat.com/errata/RHSA-2024:7769
Comment 32 errata-xmlrpc 2024-10-08 11:13:05 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions

Via RHSA-2024:7791 https://access.redhat.com/errata/RHSA-2024:7791
Comment 33 errata-xmlrpc 2024-10-08 11:13:10 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions

Via RHSA-2024:7792 https://access.redhat.com/errata/RHSA-2024:7792
Comment 34 errata-xmlrpc 2024-10-08 11:15:23 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions

Via RHSA-2024:7794 https://access.redhat.com/errata/RHSA-2024:7794
Comment 35 errata-xmlrpc 2024-10-08 11:18:39 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions

Via RHSA-2024:7793 https://access.redhat.com/errata/RHSA-2024:7793
Comment 36 errata-xmlrpc 2024-10-08 18:22:48 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.2 Extended Update Support

Via RHSA-2024:7818 https://access.redhat.com/errata/RHSA-2024:7818
Comment 37 errata-xmlrpc 2024-10-08 18:23:03 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support
  Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions
  Red Hat Enterprise Linux 8.4 Telecommunications Update Service

Via RHSA-2024:7822 https://access.redhat.com/errata/RHSA-2024:7822
Comment 38 errata-xmlrpc 2024-10-08 18:32:05 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.2 Extended Update Support

Via RHSA-2024:7821 https://access.redhat.com/errata/RHSA-2024:7821
Comment 39 errata-xmlrpc 2024-10-08 18:34:11 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.2 Extended Update Support

Via RHSA-2024:7819 https://access.redhat.com/errata/RHSA-2024:7819
Comment 40 errata-xmlrpc 2024-10-08 18:35:16 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.2 Extended Update Support

Via RHSA-2024:7820 https://access.redhat.com/errata/RHSA-2024:7820
Comment 41 errata-xmlrpc 2024-10-09 12:00:06 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support
  Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions
  Red Hat Enterprise Linux 8.6 Telecommunications Update Service

Via RHSA-2024:7852 https://access.redhat.com/errata/RHSA-2024:7852
Comment 44 errata-xmlrpc 2024-10-14 01:58:51 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2024:8039 https://access.redhat.com/errata/RHSA-2024:8039
Comment 45 errata-xmlrpc 2024-10-14 02:14:32 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2024:8038 https://access.redhat.com/errata/RHSA-2024:8038
Comment 46 errata-xmlrpc 2024-10-15 08:38:33 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2024:8110 https://access.redhat.com/errata/RHSA-2024:8110
Comment 47 errata-xmlrpc 2024-10-15 09:16:19 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2024:8111 https://access.redhat.com/errata/RHSA-2024:8111
Comment 48 errata-xmlrpc 2024-10-15 09:28:15 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2024:8112 https://access.redhat.com/errata/RHSA-2024:8112
Comment 49 errata-xmlrpc 2024-10-22 01:06:08 UTC 
This issue has been addressed in the following products:

  NETWORK-OBSERVABILITY-1.7.0-RHEL-9

Via RHSA-2024:8014 https://access.redhat.com/errata/RHSA-2024:8014
Comment 50 errata-xmlrpc 2024-10-22 15:40:35 UTC 
This issue has been addressed in the following products:

  Cryostat 3 on RHEL 8

Via RHSA-2024:8329 https://access.redhat.com/errata/RHSA-2024:8329
Comment 51 errata-xmlrpc 2024-10-23 05:29:32 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.17

Via RHSA-2024:8229 https://access.redhat.com/errata/RHSA-2024:8229
Comment 52 errata-xmlrpc 2024-10-23 05:47:22 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.17

Via RHSA-2024:8232 https://access.redhat.com/errata/RHSA-2024:8232
Comment 53 errata-xmlrpc 2024-10-24 10:45:16 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.16

Via RHSA-2024:8260 https://access.redhat.com/errata/RHSA-2024:8260
Comment 54 errata-xmlrpc 2024-10-24 10:59:16 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.16

Via RHSA-2024:8263 https://access.redhat.com/errata/RHSA-2024:8263
Comment 55 errata-xmlrpc 2024-10-31 03:37:54 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.15

Via RHSA-2024:8425 https://access.redhat.com/errata/RHSA-2024:8425
Comment 56 errata-xmlrpc 2024-10-31 03:56:32 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.15

Via RHSA-2024:8428 https://access.redhat.com/errata/RHSA-2024:8428
Comment 57 errata-xmlrpc 2024-11-06 14:30:46 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.13

Via RHSA-2024:8688 https://access.redhat.com/errata/RHSA-2024:8688
Comment 58 errata-xmlrpc 2024-11-06 14:48:04 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.13

Via RHSA-2024:8690 https://access.redhat.com/errata/RHSA-2024:8690
Comment 59 errata-xmlrpc 2024-11-07 03:09:14 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.12

Via RHSA-2024:8692 https://access.redhat.com/errata/RHSA-2024:8692
Comment 60 errata-xmlrpc 2024-11-07 03:28:56 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.12
  Ironic content for Red Hat OpenShift Container Platform 4.12

Via RHSA-2024:8694 https://access.redhat.com/errata/RHSA-2024:8694
Comment 61 errata-xmlrpc 2024-11-08 01:46:27 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.14

Via RHSA-2024:8697 https://access.redhat.com/errata/RHSA-2024:8697
Comment 62 errata-xmlrpc 2024-11-08 15:00:06 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.14

Via RHSA-2024:8700 https://access.redhat.com/errata/RHSA-2024:8700
Comment 64 errata-xmlrpc 2024-11-12 11:11:53 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2024:9454 https://access.redhat.com/errata/RHSA-2024:9454
Comment 65 errata-xmlrpc 2024-11-12 11:12:36 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2024:9456 https://access.redhat.com/errata/RHSA-2024:9456
Comment 66 errata-xmlrpc 2024-11-12 11:13:00 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2024:9459 https://access.redhat.com/errata/RHSA-2024:9459
Comment 67 errata-xmlrpc 2024-11-12 11:14:15 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2024:9472 https://access.redhat.com/errata/RHSA-2024:9472
Comment 68 errata-xmlrpc 2024-11-12 11:14:45 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2024:9473 https://access.redhat.com/errata/RHSA-2024:9473
Comment 69 errata-xmlrpc 2024-11-13 13:16:18 UTC 
This issue has been addressed in the following products:

  Red Hat OpenStack Services on OpenShift PODIFIED 1.0

Via RHSA-2024:9485 https://access.redhat.com/errata/RHSA-2024:9485
Comment 70 errata-xmlrpc 2024-11-13 18:00:50 UTC 
This issue has been addressed in the following products:

  Red Hat Advanced Cluster Security 4.4

Via RHSA-2024:9583 https://access.redhat.com/errata/RHSA-2024:9583
Comment 71 errata-xmlrpc 2024-11-19 01:54:25 UTC 
This issue has been addressed in the following products:

  OADP-1.3-RHEL-9

Via RHSA-2024:9960 https://access.redhat.com/errata/RHSA-2024:9960
Comment 72 errata-xmlrpc 2024-11-22 01:07:18 UTC 
This issue has been addressed in the following products:

  Red Hat Advanced Cluster Security 4.5

Via RHSA-2024:10186 https://access.redhat.com/errata/RHSA-2024:10186
Comment 73 errata-xmlrpc 2024-11-25 18:24:35 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Dev Spaces 3 Containers

Via RHSA-2024:10236 https://access.redhat.com/errata/RHSA-2024:10236
Comment 74 errata-xmlrpc 2024-12-09 12:11:21 UTC 
This issue has been addressed in the following products:

  Red Hat OpenStack Platform 16.2

Via RHSA-2024:10883 https://access.redhat.com/errata/RHSA-2024:10883
Comment 75 errata-xmlrpc 2024-12-10 01:38:04 UTC 
This issue has been addressed in the following products:

  Red Hat Migration Toolkit for Containers 1.8

Via RHSA-2024:10906 https://access.redhat.com/errata/RHSA-2024:10906
Comment 76 errata-xmlrpc 2024-12-17 11:54:31 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2024:11216 https://access.redhat.com/errata/RHSA-2024:11216
Comment 77 errata-xmlrpc 2024-12-17 12:04:48 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2024:11217 https://access.redhat.com/errata/RHSA-2024:11217
Comment 78 errata-xmlrpc 2025-01-09 14:57:12 UTC 
This issue has been addressed in the following products:

  Red Hat OpenStack Platform 16.2

Via RHSA-2025:0203 https://access.redhat.com/errata/RHSA-2025:0203
Comment 79 errata-xmlrpc 2025-01-28 15:51:00 UTC 
This issue has been addressed in the following products:

  OADP-1.4-RHEL-9

Via RHSA-2025:0771 https://access.redhat.com/errata/RHSA-2025:0771
Comment 80 errata-xmlrpc 2025-02-10 01:04:36 UTC 
This issue has been addressed in the following products:

  Red Hat OpenStack Platform 17.1 for RHEL 9

Via RHSA-2025:1190 https://access.redhat.com/errata/RHSA-2025:1190
Comment 93 errata-xmlrpc 2025-04-10 00:25:31 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2025:3773 https://access.redhat.com/errata/RHSA-2025:3773