First published: Tue Sep 06 2022(Updated: )
In net/http in Go before 1.18.6 and 1.19.x before 1.19.1, attackers can cause a denial of service because an HTTP/2 connection can hang during closing if shutdown were preempted by a fatal error.
Credit: cve@mitre.org cve@mitre.org
Affected Software | Affected Version | How to fix |
---|---|---|
go/golang.org/x/net/http2 | <0.0.0-20220906165146-f3363e06e74c | 0.0.0-20220906165146-f3363e06e74c |
go/golang.org/x/net | <0.0.0-20220906165146-f3363e06e74c | 0.0.0-20220906165146-f3363e06e74c |
redhat/openshift-serverless-clients | <0:1.6.1-1.el8 | 0:1.6.1-1.el8 |
redhat/git-lfs | <0:2.13.3-3.el8_6 | 0:2.13.3-3.el8_6 |
redhat/osbuild-composer | <0:75-1.el8 | 0:75-1.el8 |
redhat/weldr-client | <0:35.9-2.el8 | 0:35.9-2.el8 |
redhat/grafana | <0:7.5.15-4.el8 | 0:7.5.15-4.el8 |
redhat/grafana-pcp | <0:3.2.0-3.el8 | 0:3.2.0-3.el8 |
redhat/golang | <0:1.18.9-1.el9_1 | 0:1.18.9-1.el9_1 |
redhat/grafana | <0:9.0.9-2.el9 | 0:9.0.9-2.el9 |
redhat/grafana-pcp | <0:5.1.1-1.el9 | 0:5.1.1-1.el9 |
redhat/butane | <0:0.16.0-1.el9 | 0:0.16.0-1.el9 |
redhat/osbuild-composer | <0:76-2.el9_2 | 0:76-2.el9_2 |
redhat/weldr-client | <0:35.9-1.el9 | 0:35.9-1.el9 |
redhat/toolbox | <0:0.0.99.3-9.el9 | 0:0.0.99.3-9.el9 |
redhat/git-lfs | <0:3.2.0-1.el9 | 0:3.2.0-1.el9 |
redhat/cri-o | <0:1.24.4-5.rhaos4.11.git57d7127.el8 | 0:1.24.4-5.rhaos4.11.git57d7127.el8 |
redhat/cri-tools | <0:1.24.2-7.el8 | 0:1.24.2-7.el8 |
redhat/cri-o | <0:1.25.1-5.rhaos4.12.git6005903.el8 | 0:1.25.1-5.rhaos4.12.git6005903.el8 |
redhat/cri-tools | <0:1.25.0-2.el8 | 0:1.25.0-2.el8 |
redhat/openshift-clients | <0:4.12.0-202301042257.p0.g854f807.assembly.stream.el8 | 0:4.12.0-202301042257.p0.g854f807.assembly.stream.el8 |
redhat/podman | <3:4.2.0-7.rhaos4.12.el9 | 3:4.2.0-7.rhaos4.12.el9 |
redhat/skopeo | <2:1.9.4-3.rhaos4.12.el9 | 2:1.9.4-3.rhaos4.12.el9 |
redhat/openshift-clients | <0:4.12.0-202308151125.p0.gf61957e.assembly.stream.el9 | 0:4.12.0-202308151125.p0.gf61957e.assembly.stream.el9 |
redhat/openshift-clients | <0:4.13.0-202308112024.p0.g17b7acc.assembly.stream.el9 | 0:4.13.0-202308112024.p0.g17b7acc.assembly.stream.el9 |
redhat/etcd | <0:3.3.23-12.el8 | 0:3.3.23-12.el8 |
redhat/kubevirt | <0:4.13.0-1469.el7 | 0:4.13.0-1469.el7 |
redhat/kubevirt | <0:4.13.0-1469.el8 | 0:4.13.0-1469.el8 |
redhat/kubevirt | <0:4.13.0-1469.el9 | 0:4.13.0-1469.el9 |
Golang Go | <1.18.6 | |
Golang Go | =1.19.0 | |
Fedoraproject Fedora | =36 | |
Fedoraproject Fedora | =37 | |
redhat/golang | <1.19.1 | 1.19.1 |
redhat/golang | <1.18.6 | 1.18.6 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
(Appears in the following advisories)
CVE-2022-27664 is a vulnerability in the golang package that allows a denial of service attack by causing a closing HTTP/2 server connection to hang.
CVE-2022-27664 affects Golang Go by enabling a remote attacker to exploit the vulnerability and cause a denial of service condition.
CVE-2022-27664 has a severity level of high.
To fix CVE-2022-27664, you need to update the affected software to version 0.0.0-20220906165146-f3363e06e74c or later.
You can find more information about CVE-2022-27664 on the NIST website and the Golang announcement groups.