Bug 2064857 (CVE-2022-24921) - CVE-2022-24921 golang: regexp: stack exhaustion via a deeply nested expression
Summary: CVE-2022-24921 golang: regexp: stack exhaustion via a deeply nested expression
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2022-24921
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 2066513 Red Hat2071534 Red Hat2071536 Red Hat2065362 Red Hat2065363 Red Hat2066507 Red Hat2066508 Red Hat2066509 Red Hat2066510 2066512 Red Hat2066925 Red Hat2066926 Red Hat2066927 Red Hat2066928 Red Hat2066929 Red Hat2066930 Red Hat2066931 Red Hat2066932 Red Hat2066933 Red Hat2066934 Red Hat2066935 Red Hat2066936 Red Hat2066937 Red Hat2071142 Red Hat2071143 Red Hat2071144 Red Hat2071145 Red Hat2071146 Red Hat2071147 Red Hat2071148 Red Hat2071149 Red Hat2071150 Red Hat2071151 Red Hat2071152 Red Hat2071153 Red Hat2071154 Red Hat2071155 Red Hat2071156 Red Hat2071157 Red Hat2071158 Red Hat2071159 Red Hat2071160 Red Hat2071161 Red Hat2071162 Red Hat2071163 Red Hat2071164 Red Hat2071165 Red Hat2071168 Red Hat2071169 Red Hat2071170 Red Hat2071535 Red Hat2071555 Red Hat2071556 Red Hat2077168 Red Hat2077169 Red Hat2077170 Red Hat2077171 Red Hat2077172 Red Hat2077173 Red Hat2077175 Red Hat2077176 Red Hat2077177 Red Hat2077178 Red Hat2077179 Red Hat2077180 Red Hat2077181 Red Hat2077182 Red Hat2077183 Red Hat2077184 Red Hat2077185 Red Hat2077186 Red Hat2077187 Red Hat2077188 Red Hat2077189 Red Hat2077190 Red Hat2077191 Red Hat2077192 Red Hat2077193 Red Hat2077194 Red Hat2077195 Red Hat2077196 Red Hat2077197 Red Hat2077198 Red Hat2077199 Red Hat2077201 Red Hat2077202 Red Hat2077203 Red Hat2077205 Red Hat2077206 Red Hat2077208 Red Hat2077209 Red Hat2077210 Red Hat2077212 Red Hat2077213 Red Hat2077215 Red Hat2077216 Red Hat2077218 Red Hat2077219 Red Hat2077220 Red Hat2077222 Red Hat2077223 Red Hat2077225 Red Hat2077226 Red Hat2077227 Red Hat2077228 Red Hat2077229 Red Hat2077230 Red Hat2077231 Red Hat2077232 Red Hat2077233 Red Hat2077234 Red Hat2077235 Red Hat2077236 Red Hat2077237 Red Hat2077238 Red Hat2077239 Red Hat2077240
Blocks: Embargoed2064858
TreeView+ depends on / blocked
 
Reported: 2022-03-16 19:02 UTC by Patrick Del Bello
Modified: 2023-02-07 17:06 UTC (History)
110 users (show)

Fixed In Version: golang 1.16.15, golang 1.17.8
Doc Type: If docs needed, set a value
Doc Text:
A stack overflow flaw was found in Golang's regexp module, which can crash the runtime if the application using regexp accepts very long or arbitrarily long regexps from untrusted sources that have sufficient nesting depths. To exploit this vulnerability, an attacker would need to send large regexps with deep nesting to the application. Triggering this flaw leads to a crash of the runtime, which causes a denial of service.
Clone Of:
Environment:
Last Closed: 2023-01-26 18:22:19 UTC

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2022:5068 0 None None None 2022-08-10 10:09:15 UTC
Red Hat Product Errata RHSA-2022:5415 0 None None None 2022-06-28 19:26:23 UTC
Red Hat Product Errata RHSA-2022:5729 0 None None None 2022-08-01 11:15:47 UTC
Red Hat Product Errata RHSA-2022:5730 0 None None None 2022-08-01 11:34:34 UTC
Red Hat Product Errata RHSA-2022:6040 0 None None None 2022-08-10 13:14:57 UTC
Red Hat Product Errata RHSA-2022:6042 0 None None None 2022-08-10 11:36:37 UTC
Red Hat Product Errata RHSA-2022:6156 0 None None None 2022-08-24 13:47:12 UTC
Red Hat Product Errata RHSA-2022:6277 0 None None None 2022-08-31 16:55:30 UTC
Red Hat Product Errata RHSA-2022:6526 0 None None None 2022-09-14 19:27:51 UTC
Red Hat Product Errata RHSA-2022:6714 0 None None None 2022-09-26 15:26:33 UTC
Red Hat Product Errata RHSA-2022:8750 0 None None None 2022-12-01 21:09:59 UTC
Red Hat Product Errata RHSA-2023:0407 0 None None None 2023-01-24 12:48:51 UTC

Description Patrick Del Bello 2022-03-16 19:02:47 UTC 
regexp.Compile in Go before 1.16.15 and 1.17.x before 1.17.8 allows stack exhaustion via a deeply nested expression.

Reference: https://groups.google.com/g/golang-announce/c/RP1hfrBYVuk
Comment 3 Todd Cullum 2022-03-21 23:07:21 UTC 
Created golang tracking bugs for this issue:

Affects: epel-all [bug 2066512]
Affects: openstack-rdo [bug 2066513]
Comment 16 errata-xmlrpc 2022-06-28 19:26:18 UTC 
This issue has been addressed in the following products:

  Red Hat Developer Tools

Via RHSA-2022:5415 https://access.redhat.com/errata/RHSA-2022:5415
Comment 19 errata-xmlrpc 2022-08-01 11:15:41 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.10

Via RHSA-2022:5729 https://access.redhat.com/errata/RHSA-2022:5729
Comment 20 errata-xmlrpc 2022-08-01 11:34:27 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.10

Via RHSA-2022:5730 https://access.redhat.com/errata/RHSA-2022:5730
Comment 23 errata-xmlrpc 2022-08-10 10:09:08 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.11
  Ironic content for Red Hat OpenShift Container Platform 4.11

Via RHSA-2022:5068 https://access.redhat.com/errata/RHSA-2022:5068
Comment 24 errata-xmlrpc 2022-08-10 11:36:31 UTC 
This issue has been addressed in the following products:

  Openshift Serverless 1 on RHEL 8

Via RHSA-2022:6042 https://access.redhat.com/errata/RHSA-2022:6042
Comment 25 errata-xmlrpc 2022-08-10 13:14:51 UTC 
This issue has been addressed in the following products:

  Openshift Serveless 1.24

Via RHSA-2022:6040 https://access.redhat.com/errata/RHSA-2022:6040
Comment 28 Misha Sugakov 2022-08-19 16:19:33 UTC 
Could someone please confirm which go 1.18 version addresses/is free from this vulnerability?
Comment 29 errata-xmlrpc 2022-08-24 13:47:08 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Data Foundation 4.11 on RHEL8

Via RHSA-2022:6156 https://access.redhat.com/errata/RHSA-2022:6156
Comment 30 errata-xmlrpc 2022-08-31 16:55:24 UTC 
This issue has been addressed in the following products:

  OpenShift Service Mesh 2.1

Via RHSA-2022:6277 https://access.redhat.com/errata/RHSA-2022:6277
Comment 31 errata-xmlrpc 2022-09-14 19:27:45 UTC 
This issue has been addressed in the following products:

  RHEL-8-CNV-4.11

Via RHSA-2022:6526 https://access.redhat.com/errata/RHSA-2022:6526
Comment 32 errata-xmlrpc 2022-09-26 15:26:27 UTC 
This issue has been addressed in the following products:

  RHACS-3.72-RHEL-8

Via RHSA-2022:6714 https://access.redhat.com/errata/RHSA-2022:6714
Comment 35 errata-xmlrpc 2022-12-01 21:09:53 UTC 
This issue has been addressed in the following products:

  RHEL-8-CNV-4.11

Via RHSA-2022:8750 https://access.redhat.com/errata/RHSA-2022:8750
Comment 53 errata-xmlrpc 2023-01-24 12:48:47 UTC 
This issue has been addressed in the following products:

  RHEL-8-CNV-4.12
  RHEL-7-CNV-4.12

Via RHSA-2023:0407 https://access.redhat.com/errata/RHSA-2023:0407
Comment 54 Product Security DevOps Team 2023-01-26 18:22:12 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2022-24921
Note You need to log in before you can comment on or make changes to this bug.