Bug 2163037 (CVE-2022-3064) - CVE-2022-3064 go-yaml: Improve heuristics preventing CPU/memory abuse by parsing malicious or large YAML documents
Summary: CVE-2022-3064 go-yaml: Improve heuristics preventing CPU/memory abuse by pars...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2022-3064
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 2163540 2163541 2163542 2163553 2163539 2163543 2163544 2163545 2163546 2163547 2163548 2163549 2163550 2163551 2163552 2163555 2163556 2163557 2163558 2163560 2164213 2164540 2164979 2164980 2164981 2164982 2164983 2164984 2165601 2165602
Blocks: 2156736
TreeView+ depends on / blocked
 
Reported: 2023-01-23 04:54 UTC by Avinash Hanwate
Modified: 2024-05-22 15:20 UTC (History)
149 users (show)

Fixed In Version: gopkg.in/yaml.v2 2.2.4
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in go-yaml. This issue causes the consumption of excessive amounts of CPU or memory when attempting to parse a large or maliciously crafted YAML document.
Clone Of:
Environment:
Last Closed: 2023-03-15 23:32:29 UTC
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2023:0698 0 None None None 2023-02-15 15:44:01 UTC
Red Hat Product Errata RHSA-2023:0778 0 None None None 2023-02-22 23:50:08 UTC
Red Hat Product Errata RHSA-2023:0802 0 None None None 2023-02-17 03:32:47 UTC
Red Hat Product Errata RHSA-2023:0803 0 None None None 2023-02-17 03:46:28 UTC
Red Hat Product Errata RHSA-2023:0804 0 None None None 2023-02-17 04:12:17 UTC
Red Hat Product Errata RHSA-2023:0899 0 None None None 2023-03-01 09:00:22 UTC
Red Hat Product Errata RHSA-2023:1014 0 None None None 2023-02-28 15:47:16 UTC
Red Hat Product Errata RHSA-2023:1275 0 None None None 2023-03-15 19:56:18 UTC
Red Hat Product Errata RHSA-2023:2111 0 None None None 2023-05-10 05:17:19 UTC
Red Hat Product Errata RHSA-2023:2695 0 None None None 2023-05-18 03:09:43 UTC
Red Hat Product Errata RHSA-2023:3218 0 None None None 2023-05-24 07:09:14 UTC
Red Hat Product Errata RHSA-2023:5006 0 None None None 2023-10-31 12:54:32 UTC
Red Hat Product Errata RHSA-2023:6346 0 None None None 2023-11-07 08:13:29 UTC
Red Hat Product Errata RHSA-2023:6938 0 None None None 2023-11-14 15:16:24 UTC
Red Hat Product Errata RHSA-2023:6939 0 None None None 2023-11-14 15:16:59 UTC
Red Hat Product Errata RHSA-2024:0741 0 None None None 2024-02-14 06:34:16 UTC

Description Avinash Hanwate 2023-01-23 04:54:14 UTC
Parsing malicious or large YAML documents can consume excessive amounts of CPU or memory.

https://github.com/go-yaml/yaml/releases/tag/v2.2.4
https://pkg.go.dev/vuln/GO-2022-0956
https://github.com/go-yaml/yaml/commit/f221b8435cfb71e54062f6c6e99e9ade30b124d5

Comment 3 Anten Skrabec 2023-01-23 21:45:37 UTC
Created caddy tracking bugs for this issue:

Affects: epel-all [bug 2163539]


Created etcd tracking bugs for this issue:

Affects: openstack-rdo [bug 2163553]


Created exercism tracking bugs for this issue:

Affects: fedora-all [bug 2163543]


Created gmailctl tracking bugs for this issue:

Affects: fedora-all [bug 2163544]


Created golang-github-francoispqt-gojay tracking bugs for this issue:

Affects: fedora-all [bug 2163545]


Created golang-github-grpc-ecosystem-gateway tracking bugs for this issue:

Affects: fedora-all [bug 2163546]


Created golang-github-instrumenta-kubeval tracking bugs for this issue:

Affects: fedora-all [bug 2163547]


Created golang-gopkg-yaml tracking bugs for this issue:

Affects: epel-all [bug 2163540]


Created golie tracking bugs for this issue:

Affects: epel-all [bug 2163541]


Created kompose tracking bugs for this issue:

Affects: epel-all [bug 2163542]
Affects: fedora-all [bug 2163548]


Created manifest-tool tracking bugs for this issue:

Affects: fedora-all [bug 2163549]


Created moby-engine tracking bugs for this issue:

Affects: fedora-all [bug 2163550]


Created origin tracking bugs for this issue:

Affects: fedora-all [bug 2163551]


Created yggdrasil tracking bugs for this issue:

Affects: fedora-all [bug 2163552]

Comment 9 Anten Skrabec 2023-01-24 19:11:29 UTC
Created caddy tracking bugs for this issue:

Affects: epel-all [bug 2164213]

Comment 22 errata-xmlrpc 2023-02-15 15:43:54 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.10

Via RHSA-2023:0698 https://access.redhat.com/errata/RHSA-2023:0698

Comment 23 errata-xmlrpc 2023-02-17 03:32:42 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift GitOps 1.6

Via RHSA-2023:0802 https://access.redhat.com/errata/RHSA-2023:0802

Comment 24 errata-xmlrpc 2023-02-17 03:46:21 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift GitOps 1.7

Via RHSA-2023:0803 https://access.redhat.com/errata/RHSA-2023:0803

Comment 25 errata-xmlrpc 2023-02-17 04:12:12 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift GitOps 1.5

Via RHSA-2023:0804 https://access.redhat.com/errata/RHSA-2023:0804

Comment 28 errata-xmlrpc 2023-02-22 23:50:00 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.9

Via RHSA-2023:0778 https://access.redhat.com/errata/RHSA-2023:0778

Comment 29 errata-xmlrpc 2023-02-28 15:47:09 UTC
This issue has been addressed in the following products:

  Red Hat OpenStack Platform 17.0

Via RHSA-2023:1014 https://access.redhat.com/errata/RHSA-2023:1014

Comment 30 errata-xmlrpc 2023-03-01 09:00:16 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.10

Via RHSA-2023:0899 https://access.redhat.com/errata/RHSA-2023:0899

Comment 33 errata-xmlrpc 2023-03-15 19:56:12 UTC
This issue has been addressed in the following products:

  Red Hat OpenStack Platform 16.1
  Red Hat OpenStack Platform 16.2

Via RHSA-2023:1275 https://access.redhat.com/errata/RHSA-2023:1275

Comment 34 Product Security DevOps Team 2023-03-15 23:31:42 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2022-3064

Comment 35 errata-xmlrpc 2023-05-10 05:17:14 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.12

Via RHSA-2023:2111 https://access.redhat.com/errata/RHSA-2023:2111

Comment 36 errata-xmlrpc 2023-05-18 03:09:37 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.11

Via RHSA-2023:2695 https://access.redhat.com/errata/RHSA-2023:2695

Comment 37 errata-xmlrpc 2023-05-24 07:09:08 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.10

Via RHSA-2023:3218 https://access.redhat.com/errata/RHSA-2023:3218

Comment 38 errata-xmlrpc 2023-10-31 12:54:23 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.14

Via RHSA-2023:5006 https://access.redhat.com/errata/RHSA-2023:5006

Comment 39 errata-xmlrpc 2023-11-07 08:13:21 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2023:6346 https://access.redhat.com/errata/RHSA-2023:6346

Comment 40 errata-xmlrpc 2023-11-14 15:16:17 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2023:6938 https://access.redhat.com/errata/RHSA-2023:6938

Comment 41 errata-xmlrpc 2023-11-14 15:16:52 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2023:6939 https://access.redhat.com/errata/RHSA-2023:6939

Comment 42 errata-xmlrpc 2024-02-14 06:34:09 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.13

Via RHSA-2024:0741 https://access.redhat.com/errata/RHSA-2024:0741


Note You need to log in before you can comment on or make changes to this bug.