CVE-2022-23772: Buffer Overflow
First published: Wed Jan 19 2022(Updated: )
A flaw was found in the big package of the math library in golang. The Rat.SetString could cause an overflow, and if left unhandled, it could lead to excessive memory use. This issue could allow a remote attacker to impact the availability of the system.
Credit: cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| IBM Cloud Pak for Security | <=1.10.0.0 - 1.10.11.0 | |
| IBM QRadar Suite Software | <=1.10.12.0 - 1.10.16.0 | |
| Golang Go | <1.16.14 | |
| Golang Go | >=1.17.0<1.17.7 | |
| Netapp Beegfs Csi Driver | ||
| Netapp Cloud Insights Telegraf Agent | ||
| Netapp Kubernetes Monitoring Operator | ||
| Netapp Storagegrid | ||
| Debian Debian Linux | =9.0 | |
| redhat/openshift-serverless-clients | <0:1.1.0-3.el8 | 0:1.1.0-3.el8 |
| redhat/servicemesh | <0:2.1.3-1.el8 | 0:2.1.3-1.el8 |
| redhat/servicemesh-operator | <0:2.1.3-2.el8 | 0:2.1.3-2.el8 |
| redhat/servicemesh-prometheus | <0:2.23.0-7.el8 | 0:2.23.0-7.el8 |
| redhat/servicemesh-proxy | <0:2.1.3-1.el8 | 0:2.1.3-1.el8 |
| redhat/servicemesh-ratelimit | <0:2.1.3-1.el8 | 0:2.1.3-1.el8 |
| redhat/butane | <0:0.15.0-1.rhaos4.11.el8 | 0:0.15.0-1.rhaos4.11.el8 |
| redhat/ignition | <0:2.14.0-3.rhaos4.11.el8 | 0:2.14.0-3.rhaos4.11.el8 |
| redhat/openshift-clients | <0:4.11.0-202207291716.p0.g7075089.assembly.stream.el8 | 0:4.11.0-202207291716.p0.g7075089.assembly.stream.el8 |
| redhat/buildah | <1:1.23.4-3.rhaos4.11.el8 | 1:1.23.4-3.rhaos4.11.el8 |
| redhat/mcg | <0:5.11.0-22.el8 | 0:5.11.0-22.el8 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://www.cve.org/CVERecord?id=CVE-2022-23772 https://nvd.nist.gov/vuln/detail/CVE-2022-23772 https://groups.google.com/g/golang-announce/c/SUsQn0aSgPQ
- https://bugzilla.redhat.com/show_bug.cgi?id=2053532
- https://access.redhat.com/errata/RHSA-2022:4863
- https://access.redhat.com/errata/RHSA-2022:4860
- https://access.redhat.com/errata/RHSA-2022:5004
- https://access.redhat.com/errata/RHSA-2022:1819
- https://access.redhat.com/errata/RHSA-2022:5730
- https://access.redhat.com/errata/RHSA-2022:5068
- https://access.redhat.com/errata/RHSA-2023:3914
- https://access.redhat.com/errata/RHSA-2022:6155
- https://access.redhat.com/errata/RHSA-2022:6156
- https://access.redhat.com/errata/RHSA-2022:6526
- https://access.redhat.com/errata/RHSA-2023:0408
- https://access.redhat.com/errata/RHSA-2023:1529
- https://access.redhat.com/security/cve/cve-2022-23772
- https://groups.google.com/g/golang-announce/c/SUsQn0aSgPQ
- https://lists.debian.org/debian-lts-announce/2022/04/msg00017.html
- https://lists.debian.org/debian-lts-announce/2022/04/msg00018.html
- https://security.gentoo.org/glsa/202208-02
- https://security.netapp.com/advisory/ntap-20220225-0006/
- https://www.oracle.com/security-alerts/cpujul2022.html
- https://exchange.xforce.ibmcloud.com/vulnerabilities/219442
- https://www.ibm.com/support/pages/node/7080058 (Advisory)
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2053533
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2053535
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2053534
- https://github.com/golang/go/issues/50699
- https://github.com/golang/go/commit/ad345c265916bbf6c646865e4642eafce6d39e78
- https://access.redhat.com/errata/RHSA-2024:5754
- https://access.redhat.com/errata/RHSA-2024:6412
Parent vulnerabilities
(Appears in the following advisories)
Frequently Asked Questions
What is CVE-2022-23772?
CVE-2022-23772 is a vulnerability in the Rat.SetString function in the math/big package in Go before version 1.16.14 and 1.17.x before version 1.17.7.
What is the severity of CVE-2022-23772?
CVE-2022-23772 has a severity rating of high, with a severity value of 7.
How does CVE-2022-23772 impact the system?
CVE-2022-23772 could lead to excessive memory use and can impact the availability of the system.
How do I fix CVE-2022-23772?
To fix CVE-2022-23772, update your Go installation to version 1.16.14 or 1.17.7, depending on the version you are using.
Where can I find more information about CVE-2022-23772?
You can find more information about CVE-2022-23772 at the following references: [CVE-2022-23772](https://www.cve.org/CVERecord?id=CVE-2022-23772), [NVD](https://nvd.nist.gov/vuln/detail/CVE-2022-23772), [Red Hat Bugzilla](https://bugzilla.redhat.com/show_bug.cgi?id=2053532), [Red Hat Security Advisory](https://access.redhat.com/errata/RHSA-2022:4863).
- collector/redhat-cve
- collector/nvd-index
- agent/type
- agent/first-publish-date
- agent/softwarecombine
- agent/author
- agent/weakness
- agent/severity
- agent/description
- collector/mitre-cve
- source/MITRE
- agent/event
- collector/ibm-support
- source/IBM
- agent/software-canonical-lookup
- agent/references
- agent/last-modified-date
- agent/tags
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2022-23772
- package-manager/redhat
- vendor/golang
- canonical/golang go
- version/golang go/1.17.0
- vendor/netapp
- canonical/netapp beegfs csi driver
- canonical/netapp cloud insights telegraf agent
- canonical/netapp kubernetes monitoring operator
- canonical/netapp storagegrid
- vendor/debian
- canonical/debian debian linux
- version/debian debian linux/9.0
- vendor/ibm
- canonical/ibm cloud pak for security
- version/ibm cloud pak for security/1.10.0.0 - 1.10.11.0
- canonical/ibm qradar suite software
- version/ibm qradar suite software/1.10.12.0 - 1.10.16.0