2154200 – (CVE-2022-23524) CVE-2022-23524 helm: Denial of service through string value parsing

Bug 2154200 (CVE-2022-23524) - CVE-2022-23524 helm: Denial of service through string value parsing

Summary: CVE-2022-23524 helm: Denial of service through string value parsing

Keywords:
Status:	CLOSED ERRATA
Alias:	CVE-2022-23524
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2155939 2155941
Blocks:	2154131
TreeView+	depends on / blocked

Reported:	2022-12-16 09:38 UTC by Avinash Hanwate
Modified:	2023-05-03 01:50 UTC (History)
CC List:	31 users (show)
Fixed In Version:	helm.sh/helm/v3 3.10.3
Doc Type:	If docs needed, set a value
Doc Text:	A flaw was found in Helm, a tool for managing Charts, a pre-configured Kubernetes resources. Versions prior to 3.10.3 are subject to Uncontrolled Resource Consumption. Input to functions in the _strvals_ package could cause a stack overflow that is unrecoverable by Go. Applications that use functions from the _strvals_ package in Helm SDK may result in a denial of service.
Clone Of:
Environment:
Last Closed:	2023-04-11 12:39:32 UTC
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2023:1646	0	None	None	None	2023-04-11 07:55:00 UTC

Description Avinash Hanwate 2022-12-16 09:38:12 UTC

Helm is a tool for managing Charts, pre-configured Kubernetes resources. Versions prior to 3.10.3 are subject to Uncontrolled Resource Consumption, resulting in Denial of Service. Input to functions in the _strvals_ package can cause a stack overflow. In Go, a stack overflow cannot be recovered from. Applications that use functions from the _strvals_ package in the Helm SDK can have a Denial of Service attack when they use this package and it panics. This issue has been patched in 3.10.3. SDK users can validate strings supplied by users won't create large arrays causing significant memory usage before passing them to the _strvals_ functions.

https://github.com/helm/helm/security/advisories/GHSA-6rx9-889q-vv2r

Comment 3 Anten Skrabec 2022-12-23 00:45:22 UTC

Created golang-helm-3 tracking bugs for this issue:

Affects: fedora-all [bug 2155939]

Comment 15 errata-xmlrpc 2023-04-11 07:54:57 UTC

This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.12

Via RHSA-2023:1646 https://access.redhat.com/errata/RHSA-2023:1646

Comment 16 Product Security DevOps Team 2023-04-11 12:39:29 UTC

This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2022-23524

Note You need to log in before you can comment on or make changes to this bug.

aazores
abenaiss
amackenz
amasferr
askrabec
chazlett
dfreiber
eaguilar
ebaron
gparvin
jburrell
jkang
jpallich
jwon
lball
matzew
mkudlej
njean
ocs-bugs
owatkins
pahickey
pjindal
rhuss
rogbas
rrajasek
sfroberg
stcannon
teagle
tjochec
tnielsen
vkumar