Bug 2134010 (CVE-2022-32149) - CVE-2022-32149 golang: golang.org/x/text/language: ParseAcceptLanguage takes a long time to parse complex tags
Summary: CVE-2022-32149 golang: golang.org/x/text/language: ParseAcceptLanguage takes ...
Keywords:
Status: NEW
Alias: CVE-2022-32149
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 2134926 2134927 2134928 2134929 2134930 2134933 2134934 2134335 2134336 2135218 2135219 2135220 2135221 2135222 2135223
Blocks: 2134011
TreeView+ depends on / blocked
 
Reported: 2022-10-12 06:41 UTC by TEJ RATHI
Modified: 2023-02-03 23:11 UTC (History)
61 users (show)

Fixed In Version: golang.org/x/text 0.3.8
Doc Type: If docs needed, set a value
Doc Text:
A vulnerability was found in the golang.org/x/text/language package. An attacker can craft an Accept-Language header which ParseAcceptLanguage will take significant time to parse. This issue leads to a denial of service, and can impact availability.
Clone Of:
Environment:
Last Closed:

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2022:6882 0 None None None 2022-11-09 16:44:10 UTC
Red Hat Product Errata RHSA-2022:7407 0 None None None 2022-11-03 13:32:50 UTC
Red Hat Product Errata RHSA-2022:7434 0 None None None 2022-11-10 03:50:36 UTC
Red Hat Product Errata RHSA-2022:7435 0 None None None 2022-11-16 12:14:14 UTC
Red Hat Product Errata RHSA-2023:0481 0 None None None 2023-01-26 21:23:53 UTC

Description TEJ RATHI 2022-10-12 06:41:02 UTC 
A vulnerability was found in golang.org/x/text/language package which could cause a denial of service. An attacker can craft an Accept-Language header which ParseAcceptLanguage will take significant time to parse.
Version v0.3.8 of golang.org/x/text fixes a vulnerability.

References:
https://groups.google.com/g/golang-dev/c/qfPIly0X7aU.
https://go.dev/issue/56152.

Upstream Commit:
https://github.com/golang/text/commit/434eadcdbc3b0256971992e8c70027278364c72c
Comment 6 errata-xmlrpc 2022-11-03 13:32:46 UTC 
This issue has been addressed in the following products:

  OpenShift Developer Tools and Services for OCP 4.9

Via RHSA-2022:7407 https://access.redhat.com/errata/RHSA-2022:7407
Comment 7 errata-xmlrpc 2022-11-09 16:44:07 UTC 
This issue has been addressed in the following products:

  OpenShift Logging 5.3

Via RHSA-2022:6882 https://access.redhat.com/errata/RHSA-2022:6882
Comment 8 errata-xmlrpc 2022-11-10 03:50:31 UTC 
This issue has been addressed in the following products:

  RHOL-5.5-RHEL-8

Via RHSA-2022:7434 https://access.redhat.com/errata/RHSA-2022:7434
Comment 9 errata-xmlrpc 2022-11-16 12:14:11 UTC 
This issue has been addressed in the following products:

  Logging subsystem for Red Hat OpenShift 5.4

Via RHSA-2022:7435 https://access.redhat.com/errata/RHSA-2022:7435
Comment 21 errata-xmlrpc 2023-01-26 21:23:50 UTC 
This issue has been addressed in the following products:

  Red Hat Advanced Cluster Management for Kubernetes 2.5 for RHEL 8

Via RHSA-2023:0481 https://access.redhat.com/errata/RHSA-2023:0481
Note You need to log in before you can comment on or make changes to this bug.