Bug 2184482 (CVE-2023-24536) - CVE-2023-24536 golang: net/http, net/textproto, mime/multipart: denial of service from excessive resource consumption
Summary: CVE-2023-24536 golang: net/http, net/textproto, mime/multipart: denial of ser...
Keywords:
Status: NEW
Alias: CVE-2023-24536
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Nobody
QA Contact:
URL:
Whiteboard:
: 2207888 (view as bug list)
Depends On: 2186209 2186210 2186211 2187354 2187355 2187356 2187357 2187358 2187359 2187360 2187361 2187362 2187363 2187364 2187365 2187366 2187367 2187368 2187372 2187373 2187374 2187375 2187376 2187377 2187378 2187381 2187382 2187383 2187384 2187385 2187386 2189018 2189019 2189020 2189021 2189022 2189023 2189024 2189025 2189026 2189027 2189028 2189029 2189030 2189031 2189032 2189033 2189034 2189035 2189036
Blocks: 2184485
TreeView+ depends on / blocked
 
Reported: 2023-04-04 20:23 UTC by Pedro Sampaio
Modified: 2024-04-02 15:28 UTC (History)
145 users (show)

Fixed In Version: golang 1.20.3, golang 1.19.8
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in Golang Go, where it is vulnerable to a denial of service caused by an issue during multipart form parsing. By sending a specially crafted input, a remote attacker can consume large amounts of CPU and memory, resulting in a denial of service.
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2023:6108 0 None None None 2023-10-25 12:15:37 UTC
Red Hat Product Errata RHSA-2023:3167 0 None None None 2023-05-18 11:34:21 UTC
Red Hat Product Errata RHSA-2023:3367 0 None None None 2023-06-07 01:50:48 UTC
Red Hat Product Errata RHSA-2023:3445 0 None None None 2023-06-05 14:08:19 UTC
Red Hat Product Errata RHSA-2023:3450 0 None None None 2023-06-05 16:44:28 UTC
Red Hat Product Errata RHSA-2023:3455 0 None None None 2023-06-05 23:43:01 UTC
Red Hat Product Errata RHSA-2023:3540 0 None None None 2023-06-13 15:32:38 UTC
Red Hat Product Errata RHSA-2023:3612 0 None None None 2023-06-23 04:39:50 UTC
Red Hat Product Errata RHSA-2023:3624 0 None None None 2023-06-15 09:48:18 UTC
Red Hat Product Errata RHSA-2023:3918 0 None None None 2023-06-29 00:59:13 UTC
Red Hat Product Errata RHSA-2023:3943 0 None None None 2023-06-29 14:32:40 UTC
Red Hat Product Errata RHSA-2023:4003 0 None None None 2023-07-10 08:51:32 UTC
Red Hat Product Errata RHSA-2023:4093 0 None None None 2023-07-20 17:28:59 UTC
Red Hat Product Errata RHSA-2023:4335 0 None None None 2023-08-08 00:36:28 UTC
Red Hat Product Errata RHSA-2023:4470 0 None None None 2023-08-03 14:12:55 UTC
Red Hat Product Errata RHSA-2023:4627 0 None None None 2023-08-14 01:02:44 UTC
Red Hat Product Errata RHSA-2023:4657 0 None None None 2023-08-23 00:18:04 UTC
Red Hat Product Errata RHSA-2023:4664 0 None None None 2023-08-16 14:09:36 UTC
Red Hat Product Errata RHSA-2023:4986 0 None None None 2023-09-06 07:56:24 UTC
Red Hat Product Errata RHSA-2023:5964 0 None None None 2023-10-20 14:57:16 UTC
Red Hat Product Errata RHSA-2023:6346 0 None None None 2023-11-07 08:13:30 UTC
Red Hat Product Errata RHSA-2023:6363 0 None None None 2023-11-07 08:14:09 UTC
Red Hat Product Errata RHSA-2023:6402 0 None None None 2023-11-07 08:15:54 UTC
Red Hat Product Errata RHSA-2023:6473 0 None None None 2023-11-07 08:17:07 UTC
Red Hat Product Errata RHSA-2023:6474 0 None None None 2023-11-07 08:17:41 UTC
Red Hat Product Errata RHSA-2023:6938 0 None None None 2023-11-14 15:16:38 UTC
Red Hat Product Errata RHSA-2023:6939 0 None None None 2023-11-14 15:17:21 UTC

Description Pedro Sampaio 2023-04-04 20:23:07 UTC 
Multipart form parsing can consume large amounts of CPU and memory when processing form inputs containing very large numbers of parts.

References:

https://github.com/golang/go/issues/59153
https://github.com/golang/go/issues/59270
Comment 9 Avinash Hanwate 2023-04-24 05:03:56 UTC 
Created golang tracking bugs for this issue:

Affects: epel-all [bug 2189020]
Affects: fedora-all [bug 2189021]
Comment 17 errata-xmlrpc 2023-05-18 11:34:15 UTC 
This issue has been addressed in the following products:

  Cryostat 2 on RHEL 8

Via RHSA-2023:3167 https://access.redhat.com/errata/RHSA-2023:3167
Comment 18 Derrick Ornelas 2023-05-23 22:13:50 UTC 
*** Bug 2207888 has been marked as a duplicate of this bug. ***
Comment 20 errata-xmlrpc 2023-06-05 14:08:11 UTC 
This issue has been addressed in the following products:

  Red Hat OpenStack Platform 16.2

Via RHSA-2023:3445 https://access.redhat.com/errata/RHSA-2023:3445
Comment 21 errata-xmlrpc 2023-06-05 16:44:20 UTC 
This issue has been addressed in the following products:

  Openshift Serverless 1 on RHEL 8

Via RHSA-2023:3450 https://access.redhat.com/errata/RHSA-2023:3450
Comment 22 errata-xmlrpc 2023-06-05 23:42:54 UTC 
This issue has been addressed in the following products:

  RHOSS-1.29-RHEL-8

Via RHSA-2023:3455 https://access.redhat.com/errata/RHSA-2023:3455
Comment 23 errata-xmlrpc 2023-06-07 01:50:41 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.13

Via RHSA-2023:3367 https://access.redhat.com/errata/RHSA-2023:3367
Comment 24 errata-xmlrpc 2023-06-13 15:32:30 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.13

Via RHSA-2023:3540 https://access.redhat.com/errata/RHSA-2023:3540
Comment 27 errata-xmlrpc 2023-06-15 09:48:11 UTC 
This issue has been addressed in the following products:

  Red Hat Migration Toolkit for Containers 1.7

Via RHSA-2023:3624 https://access.redhat.com/errata/RHSA-2023:3624
Comment 28 errata-xmlrpc 2023-06-23 04:39:43 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.13

Via RHSA-2023:3612 https://access.redhat.com/errata/RHSA-2023:3612
Comment 29 errata-xmlrpc 2023-06-29 00:59:07 UTC 
This issue has been addressed in the following products:

  OADP-1.1-RHEL-8

Via RHSA-2023:3918 https://access.redhat.com/errata/RHSA-2023:3918
Comment 30 errata-xmlrpc 2023-06-29 14:32:33 UTC 
This issue has been addressed in the following products:

  RHACS-4.1-RHEL-8

Via RHSA-2023:3943 https://access.redhat.com/errata/RHSA-2023:3943
Comment 32 errata-xmlrpc 2023-07-10 08:51:27 UTC 
This issue has been addressed in the following products:

  Service Interconnect 1 for RHEL 8
  Service Interconnect 1 for RHEL 9

Via RHSA-2023:4003 https://access.redhat.com/errata/RHSA-2023:4003
Comment 35 errata-xmlrpc 2023-07-20 17:28:52 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.13
  Ironic content for Red Hat OpenShift Container Platform 4.13

Via RHSA-2023:4093 https://access.redhat.com/errata/RHSA-2023:4093
Comment 37 errata-xmlrpc 2023-08-03 14:12:48 UTC 
This issue has been addressed in the following products:

  Red Hat Ansible Automation Platform 2.3 for RHEL 8

Via RHSA-2023:4470 https://access.redhat.com/errata/RHSA-2023:4470
Comment 38 errata-xmlrpc 2023-08-08 00:36:23 UTC 
This issue has been addressed in the following products:

  CERT-MANAGER-1.10-RHEL-9

Via RHSA-2023:4335 https://access.redhat.com/errata/RHSA-2023:4335
Comment 39 errata-xmlrpc 2023-08-14 01:02:39 UTC 
This issue has been addressed in the following products:

  MTA-6.2-RHEL-9
  MTA-6.2-RHEL-8

Via RHSA-2023:4627 https://access.redhat.com/errata/RHSA-2023:4627
Comment 40 errata-xmlrpc 2023-08-16 14:09:30 UTC 
This issue has been addressed in the following products:

  RHEL-9-CNV-4.13

Via RHSA-2023:4664 https://access.redhat.com/errata/RHSA-2023:4664
Comment 41 errata-xmlrpc 2023-08-23 00:17:57 UTC 
This issue has been addressed in the following products:

  OSSO-1.1-RHEL-8

Via RHSA-2023:4657 https://access.redhat.com/errata/RHSA-2023:4657
Comment 42 errata-xmlrpc 2023-09-06 07:56:18 UTC 
This issue has been addressed in the following products:

  Red Hat Openshift distributed tracing 2.9

Via RHSA-2023:4986 https://access.redhat.com/errata/RHSA-2023:4986
Comment 43 errata-xmlrpc 2023-10-20 14:57:09 UTC 
This issue has been addressed in the following products:

  Red Hat OpenStack Platform 16.2

Via RHSA-2023:5964 https://access.redhat.com/errata/RHSA-2023:5964
Comment 44 errata-xmlrpc 2023-11-07 08:13:23 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2023:6346 https://access.redhat.com/errata/RHSA-2023:6346
Comment 45 errata-xmlrpc 2023-11-07 08:13:58 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2023:6363 https://access.redhat.com/errata/RHSA-2023:6363
Comment 46 errata-xmlrpc 2023-11-07 08:15:45 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2023:6402 https://access.redhat.com/errata/RHSA-2023:6402
Comment 47 errata-xmlrpc 2023-11-07 08:17:00 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2023:6473 https://access.redhat.com/errata/RHSA-2023:6473
Comment 48 errata-xmlrpc 2023-11-07 08:17:34 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2023:6474 https://access.redhat.com/errata/RHSA-2023:6474
Comment 49 errata-xmlrpc 2023-11-14 15:16:29 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2023:6938 https://access.redhat.com/errata/RHSA-2023:6938
Comment 50 errata-xmlrpc 2023-11-14 15:17:12 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2023:6939 https://access.redhat.com/errata/RHSA-2023:6939
Note You need to log in before you can comment on or make changes to this bug.