Bug 2163037 (CVE-2022-3064) - CVE-2022-3064 go-yaml: Improve heuristics preventing CPU/memory abuse by parsing malicious or large YAML documents
Summary: CVE-2022-3064 go-yaml: Improve heuristics preventing CPU/memory abuse by pars...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2022-3064
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 2163540 2163541 2163542 2163553 2163539 2163543 2163544 2163545 2163546 2163547 2163548 2163549 2163550 2163551 2163552 2163555 2163556 2163557 2163558 2163560 2164213 2164540 2164979 2164980 2164981 2164982 2164983 2164984 2165601 2165602
Blocks: 2156736
TreeView+ depends on / blocked
 
Reported: 2023-01-23 04:54 UTC by Avinash Hanwate
Modified: 2024-02-14 06:34 UTC (History)
148 users (show)

Fixed In Version: gopkg.in/yaml.v2 2.2.4
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in go-yaml. This issue causes the consumption of excessive amounts of CPU or memory when attempting to parse a large or maliciously crafted YAML document.
Clone Of:
Environment:
Last Closed: 2023-03-15 23:32:29 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2023:0698 0 None None None 2023-02-15 15:44:01 UTC
Red Hat Product Errata RHSA-2023:0778 0 None None None 2023-02-22 23:50:08 UTC
Red Hat Product Errata RHSA-2023:0802 0 None None None 2023-02-17 03:32:47 UTC
Red Hat Product Errata RHSA-2023:0803 0 None None None 2023-02-17 03:46:28 UTC
Red Hat Product Errata RHSA-2023:0804 0 None None None 2023-02-17 04:12:17 UTC
Red Hat Product Errata RHSA-2023:0899 0 None None None 2023-03-01 09:00:22 UTC
Red Hat Product Errata RHSA-2023:1014 0 None None None 2023-02-28 15:47:16 UTC
Red Hat Product Errata RHSA-2023:1275 0 None None None 2023-03-15 19:56:18 UTC
Red Hat Product Errata RHSA-2023:2111 0 None None None 2023-05-10 05:17:19 UTC
Red Hat Product Errata RHSA-2023:2695 0 None None None 2023-05-18 03:09:43 UTC
Red Hat Product Errata RHSA-2023:3218 0 None None None 2023-05-24 07:09:14 UTC
Red Hat Product Errata RHSA-2023:5006 0 None None None 2023-10-31 12:54:32 UTC
Red Hat Product Errata RHSA-2023:6346 0 None None None 2023-11-07 08:13:29 UTC
Red Hat Product Errata RHSA-2023:6938 0 None None None 2023-11-14 15:16:24 UTC
Red Hat Product Errata RHSA-2023:6939 0 None None None 2023-11-14 15:16:59 UTC
Red Hat Product Errata RHSA-2024:0741 0 None None None 2024-02-14 06:34:16 UTC

Description Avinash Hanwate 2023-01-23 04:54:14 UTC 
Parsing malicious or large YAML documents can consume excessive amounts of CPU or memory.

https://github.com/go-yaml/yaml/releases/tag/v2.2.4
https://pkg.go.dev/vuln/GO-2022-0956
https://github.com/go-yaml/yaml/commit/f221b8435cfb71e54062f6c6e99e9ade30b124d5
Comment 3 Anten Skrabec 2023-01-23 21:45:37 UTC 
Created caddy tracking bugs for this issue:

Affects: epel-all [bug 2163539]


Created etcd tracking bugs for this issue:

Affects: openstack-rdo [bug 2163553]


Created exercism tracking bugs for this issue:

Affects: fedora-all [bug 2163543]


Created gmailctl tracking bugs for this issue:

Affects: fedora-all [bug 2163544]


Created golang-github-francoispqt-gojay tracking bugs for this issue:

Affects: fedora-all [bug 2163545]


Created golang-github-grpc-ecosystem-gateway tracking bugs for this issue:

Affects: fedora-all [bug 2163546]


Created golang-github-instrumenta-kubeval tracking bugs for this issue:

Affects: fedora-all [bug 2163547]


Created golang-gopkg-yaml tracking bugs for this issue:

Affects: epel-all [bug 2163540]


Created golie tracking bugs for this issue:

Affects: epel-all [bug 2163541]


Created kompose tracking bugs for this issue:

Affects: epel-all [bug 2163542]
Affects: fedora-all [bug 2163548]


Created manifest-tool tracking bugs for this issue:

Affects: fedora-all [bug 2163549]


Created moby-engine tracking bugs for this issue:

Affects: fedora-all [bug 2163550]


Created origin tracking bugs for this issue:

Affects: fedora-all [bug 2163551]


Created yggdrasil tracking bugs for this issue:

Affects: fedora-all [bug 2163552]
Comment 9 Anten Skrabec 2023-01-24 19:11:29 UTC 
Created caddy tracking bugs for this issue:

Affects: epel-all [bug 2164213]
Comment 22 errata-xmlrpc 2023-02-15 15:43:54 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.10

Via RHSA-2023:0698 https://access.redhat.com/errata/RHSA-2023:0698
Comment 23 errata-xmlrpc 2023-02-17 03:32:42 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift GitOps 1.6

Via RHSA-2023:0802 https://access.redhat.com/errata/RHSA-2023:0802
Comment 24 errata-xmlrpc 2023-02-17 03:46:21 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift GitOps 1.7

Via RHSA-2023:0803 https://access.redhat.com/errata/RHSA-2023:0803
Comment 25 errata-xmlrpc 2023-02-17 04:12:12 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift GitOps 1.5

Via RHSA-2023:0804 https://access.redhat.com/errata/RHSA-2023:0804
Comment 28 errata-xmlrpc 2023-02-22 23:50:00 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.9

Via RHSA-2023:0778 https://access.redhat.com/errata/RHSA-2023:0778
Comment 29 errata-xmlrpc 2023-02-28 15:47:09 UTC 
This issue has been addressed in the following products:

  Red Hat OpenStack Platform 17.0

Via RHSA-2023:1014 https://access.redhat.com/errata/RHSA-2023:1014
Comment 30 errata-xmlrpc 2023-03-01 09:00:16 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.10

Via RHSA-2023:0899 https://access.redhat.com/errata/RHSA-2023:0899
Comment 33 errata-xmlrpc 2023-03-15 19:56:12 UTC 
This issue has been addressed in the following products:

  Red Hat OpenStack Platform 16.1
  Red Hat OpenStack Platform 16.2

Via RHSA-2023:1275 https://access.redhat.com/errata/RHSA-2023:1275
Comment 34 Product Security DevOps Team 2023-03-15 23:31:42 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2022-3064
Comment 35 errata-xmlrpc 2023-05-10 05:17:14 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.12

Via RHSA-2023:2111 https://access.redhat.com/errata/RHSA-2023:2111
Comment 36 errata-xmlrpc 2023-05-18 03:09:37 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.11

Via RHSA-2023:2695 https://access.redhat.com/errata/RHSA-2023:2695
Comment 37 errata-xmlrpc 2023-05-24 07:09:08 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.10

Via RHSA-2023:3218 https://access.redhat.com/errata/RHSA-2023:3218
Comment 38 errata-xmlrpc 2023-10-31 12:54:23 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.14

Via RHSA-2023:5006 https://access.redhat.com/errata/RHSA-2023:5006
Comment 39 errata-xmlrpc 2023-11-07 08:13:21 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2023:6346 https://access.redhat.com/errata/RHSA-2023:6346
Comment 40 errata-xmlrpc 2023-11-14 15:16:17 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2023:6938 https://access.redhat.com/errata/RHSA-2023:6938
Comment 41 errata-xmlrpc 2023-11-14 15:16:52 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2023:6939 https://access.redhat.com/errata/RHSA-2023:6939
Comment 42 errata-xmlrpc 2024-02-14 06:34:09 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.13

Via RHSA-2024:0741 https://access.redhat.com/errata/RHSA-2024:0741
Note You need to log in before you can comment on or make changes to this bug.