Bug 2064857 (CVE-2022-24921) - CVE-2022-24921 golang: regexp: stack exhaustion via a deeply nested expression
Summary: CVE-2022-24921 golang: regexp: stack exhaustion via a deeply nested expression
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2022-24921
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 2066513 2071534 2071536 2065362 2065363 2066507 2066508 2066509 2066510 2066512 2066925 2066926 2066927 2066928 2066929 2066930 2066931 2066932 2066933 2066934 2066935 2066936 2066937 2071142 2071143 2071144 2071145 2071146 2071147 2071148 2071149 2071150 2071151 2071152 2071153 2071154 2071155 2071156 2071157 2071158 2071159 2071160 2071161 2071162 2071163 2071164 2071165 2071168 2071169 2071170 2071535 2071555 2071556 2077168 2077169 2077170 2077171 2077172 2077173 2077175 2077176 2077177 2077178 2077179 2077180 2077181 2077182 2077183 2077184 2077185 2077186 2077187 2077188 2077189 2077190 2077191 2077192 2077193 2077194 2077195 2077196 2077197 2077198 2077199 2077201 2077202 2077203 2077205 2077206 2077208 2077209 2077210 2077212 2077213 2077215 2077216 2077218 2077219 2077220 2077222 2077223 2077225 2077226 2077227 2077228 2077229 2077230 2077231 2077232 2077233 2077234 2077235 2077236 2077237 2077238 2077239 2077240
Blocks: 2064858
TreeView+ depends on / blocked
 
Reported: 2022-03-16 19:02 UTC by Patrick Del Bello
Modified: 2024-03-14 14:15 UTC (History)
111 users (show)

Fixed In Version: golang 1.16.15, golang 1.17.8
Doc Type: If docs needed, set a value
Doc Text:
A stack overflow flaw was found in Golang's regexp module, which can crash the runtime if the application using regexp accepts very long or arbitrarily long regexps from untrusted sources that have sufficient nesting depths. To exploit this vulnerability, an attacker would need to send large regexps with deep nesting to the application. Triggering this flaw leads to a crash of the runtime, which causes a denial of service.
Clone Of:
Environment:
Last Closed: 2023-01-26 18:22:19 UTC
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2022:5068 0 None None None 2022-08-10 10:09:15 UTC
Red Hat Product Errata RHSA-2022:5415 0 None None None 2022-06-28 19:26:23 UTC
Red Hat Product Errata RHSA-2022:5729 0 None None None 2022-08-01 11:15:47 UTC
Red Hat Product Errata RHSA-2022:5730 0 None None None 2022-08-01 11:34:34 UTC
Red Hat Product Errata RHSA-2022:6040 0 None None None 2022-08-10 13:14:57 UTC
Red Hat Product Errata RHSA-2022:6042 0 None None None 2022-08-10 11:36:37 UTC
Red Hat Product Errata RHSA-2022:6156 0 None None None 2022-08-24 13:47:12 UTC
Red Hat Product Errata RHSA-2022:6277 0 None None None 2022-08-31 16:55:30 UTC
Red Hat Product Errata RHSA-2022:6526 0 None None None 2022-09-14 19:27:51 UTC
Red Hat Product Errata RHSA-2022:6714 0 None None None 2022-09-26 15:26:33 UTC
Red Hat Product Errata RHSA-2022:8750 0 None None None 2022-12-01 21:09:59 UTC
Red Hat Product Errata RHSA-2023:0407 0 None None None 2023-01-24 12:48:51 UTC

Description Patrick Del Bello 2022-03-16 19:02:47 UTC
regexp.Compile in Go before 1.16.15 and 1.17.x before 1.17.8 allows stack exhaustion via a deeply nested expression.

Reference: https://groups.google.com/g/golang-announce/c/RP1hfrBYVuk

Comment 3 Todd Cullum 2022-03-21 23:07:21 UTC
Created golang tracking bugs for this issue:

Affects: epel-all [bug 2066512]
Affects: openstack-rdo [bug 2066513]

Comment 16 errata-xmlrpc 2022-06-28 19:26:18 UTC
This issue has been addressed in the following products:

  Red Hat Developer Tools

Via RHSA-2022:5415 https://access.redhat.com/errata/RHSA-2022:5415

Comment 19 errata-xmlrpc 2022-08-01 11:15:41 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.10

Via RHSA-2022:5729 https://access.redhat.com/errata/RHSA-2022:5729

Comment 20 errata-xmlrpc 2022-08-01 11:34:27 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.10

Via RHSA-2022:5730 https://access.redhat.com/errata/RHSA-2022:5730

Comment 23 errata-xmlrpc 2022-08-10 10:09:08 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.11
  Ironic content for Red Hat OpenShift Container Platform 4.11

Via RHSA-2022:5068 https://access.redhat.com/errata/RHSA-2022:5068

Comment 24 errata-xmlrpc 2022-08-10 11:36:31 UTC
This issue has been addressed in the following products:

  Openshift Serverless 1 on RHEL 8

Via RHSA-2022:6042 https://access.redhat.com/errata/RHSA-2022:6042

Comment 25 errata-xmlrpc 2022-08-10 13:14:51 UTC
This issue has been addressed in the following products:

  Openshift Serveless 1.24

Via RHSA-2022:6040 https://access.redhat.com/errata/RHSA-2022:6040

Comment 28 Misha Sugakov 2022-08-19 16:19:33 UTC
Could someone please confirm which go 1.18 version addresses/is free from this vulnerability?

Comment 29 errata-xmlrpc 2022-08-24 13:47:08 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Data Foundation 4.11 on RHEL8

Via RHSA-2022:6156 https://access.redhat.com/errata/RHSA-2022:6156

Comment 30 errata-xmlrpc 2022-08-31 16:55:24 UTC
This issue has been addressed in the following products:

  OpenShift Service Mesh 2.1

Via RHSA-2022:6277 https://access.redhat.com/errata/RHSA-2022:6277

Comment 31 errata-xmlrpc 2022-09-14 19:27:45 UTC
This issue has been addressed in the following products:

  RHEL-8-CNV-4.11

Via RHSA-2022:6526 https://access.redhat.com/errata/RHSA-2022:6526

Comment 32 errata-xmlrpc 2022-09-26 15:26:27 UTC
This issue has been addressed in the following products:

  RHACS-3.72-RHEL-8

Via RHSA-2022:6714 https://access.redhat.com/errata/RHSA-2022:6714

Comment 35 errata-xmlrpc 2022-12-01 21:09:53 UTC
This issue has been addressed in the following products:

  RHEL-8-CNV-4.11

Via RHSA-2022:8750 https://access.redhat.com/errata/RHSA-2022:8750

Comment 53 errata-xmlrpc 2023-01-24 12:48:47 UTC
This issue has been addressed in the following products:

  RHEL-8-CNV-4.12
  RHEL-7-CNV-4.12

Via RHSA-2023:0407 https://access.redhat.com/errata/RHSA-2023:0407

Comment 54 Product Security DevOps Team 2023-01-26 18:22:12 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2022-24921


Note You need to log in before you can comment on or make changes to this bug.