CVE-2022-2879: Unbounded memory consumption when reading headers in archive/tar
First published: Tue Oct 04 2022(Updated: )
A flaw was found in the golang package, where Reader.Read does not set a limit on the maximum size of file headers. After fixing, Reader.Read limits the maximum size of header blocks to 1 MiB. This flaw allows a maliciously crafted archive to cause Read to allocate unbounded amounts of memory, potentially causing resource exhaustion or panic.
Credit: security@golang.org security@golang.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| redhat/openshift-serverless-clients | <0:1.6.1-1.el8 | 0:1.6.1-1.el8 |
| redhat/go-toolset | <1.18-0:1.18.9-1.el7_9 | 1.18-0:1.18.9-1.el7_9 |
| redhat/go-toolset | <1.18-golang-0:1.18.9-1.el7_9 | 1.18-golang-0:1.18.9-1.el7_9 |
| redhat/osbuild-composer | <0:75-1.el8 | 0:75-1.el8 |
| redhat/weldr-client | <0:35.9-2.el8 | 0:35.9-2.el8 |
| redhat/golang | <0:1.18.9-1.el9_1 | 0:1.18.9-1.el9_1 |
| redhat/osbuild-composer | <0:76-2.el9_2 | 0:76-2.el9_2 |
| redhat/weldr-client | <0:35.9-1.el9 | 0:35.9-1.el9 |
| redhat/openshift-clients | <0:4.12.0-202301042257.p0.g854f807.assembly.stream.el8 | 0:4.12.0-202301042257.p0.g854f807.assembly.stream.el8 |
| redhat/buildah | <1:1.23.4-4.rhaos4.12.el8 | 1:1.23.4-4.rhaos4.12.el8 |
| redhat/conmon | <2:2.1.2-4.rhaos4.12.el8 | 2:2.1.2-4.rhaos4.12.el8 |
| redhat/podman | <3:4.2.0-6.1.rhaos4.12.el8 | 3:4.2.0-6.1.rhaos4.12.el8 |
| redhat/skopeo | <2:1.9.4-3.rhaos4.12.el9 | 2:1.9.4-3.rhaos4.12.el9 |
| redhat/skupper-cli | <0:1.4.1-2.el8 | 0:1.4.1-2.el8 |
| redhat/skupper-cli | <0:1.4.1-2.el9 | 0:1.4.1-2.el9 |
| Golang Go | <1.18.7 | |
| Golang Go | >=1.19.0<1.19.2 | |
| redhat/go | <1.19.2 | 1.19.2 |
| redhat/go | <1.18.7 | 1.18.7 |
Remedy
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://go.dev/issue/54853
- https://go.dev/cl/439355
- https://groups.google.com/g/golang-announce/c/xtuG5faxtaU
- https://pkg.go.dev/vuln/GO-2022-1037
- https://security.gentoo.org/glsa/202311-09
- https://groups.google.com/g/golang-announce/c/xtuG5faxtaU?pli=1
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2132878
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2132879
- https://github.com/golang/go/issues/54853
- https://github.com/golang/go/commit/0bf7ee9977c0218562c50a0b0f0d9cbdf33f65e6
- https://github.com/golang/go/commit/0a723816cd205576945fa57fbdde7e6532d59d08
- https://github.com/golang/go/commit/4fa773cdefd20be093c84f731be7d4febf5536fa
- https://access.redhat.com/errata/RHSA-2022:8781
- https://access.redhat.com/errata/RHSA-2022:7399
- https://access.redhat.com/errata/RHSA-2023:0264
- https://access.redhat.com/errata/RHSA-2023:0328
- https://access.redhat.com/errata/RHSA-2023:0445
- https://access.redhat.com/errata/RHSA-2023:0446
- https://access.redhat.com/errata/RHSA-2023:0542
- https://access.redhat.com/errata/RHSA-2023:0693
- https://access.redhat.com/errata/RHSA-2023:0708
- https://access.redhat.com/errata/RHSA-2023:0709
- https://access.redhat.com/errata/RHSA-2023:0727
- https://access.redhat.com/errata/RHSA-2023:1079
- https://access.redhat.com/errata/RHSA-2023:1042
- https://access.redhat.com/errata/RHSA-2023:1174
- https://access.redhat.com/security/cve/cve-2022-2879
- https://access.redhat.com/errata/RHSA-2023:2204
- https://access.redhat.com/errata/RHSA-2023:2780
- https://access.redhat.com/errata/RHSA-2023:3205
- https://access.redhat.com/errata/RHSA-2023:3742
- https://access.redhat.com/errata/RHSA-2023:3613
- https://access.redhat.com/errata/RHSA-2023:4003
- https://access.redhat.com/errata/RHSA-2024:0121
- https://bugzilla.redhat.com/show_bug.cgi?id=2132867
- https://www.cve.org/CVERecord?id=CVE-2022-2879 https://nvd.nist.gov/vuln/detail/CVE-2022-2879 https://github.com/golang/go/issues/54853 https://groups.google.com/g/golang-announce/c/xtuG5faxtaU?pli=1
- https://access.redhat.com/errata/RHSA-2022:8535
- https://access.redhat.com/errata/RHSA-2022:7398
Parent vulnerabilities
(Appears in the following advisories)
- RHSA-2023:1174
- RHSA-2023:1042
- RHSA-2023:0708
- RHSA-2023:0445
- RHSA-2023:0446
- RHSA-2023:2780
- RHSA-2023:0328
- RHSA-2023:2204
- RHSA-2023:0693
- RHSA-2022:8535
- RHSA-2022:7398
- RHSA-2022:7399
- RHSA-2023:0727
- RHSA-2023:3613
- RHSA-2023:0542
- RHSA-2023:1079
- RHSA-2023:3205
- RHSA-2023:3742
- RHSA-2022:8781
- RHSA-2023:0264
- RHSA-2023:0709
- RHSA-2023:4003
Frequently Asked Questions
What is the vulnerability ID for this flaw?
The vulnerability ID for this flaw is CVE-2022-2879.
What is the severity level of CVE-2022-2879?
The severity level of CVE-2022-2879 is high with a score of 7.5.
Which software packages are affected by CVE-2022-2879?
The affected software packages include go, openshift-serverless-clients, go-toolset, osbuild-composer, weldr-client, golang, openshift-clients, buildah, conmon, podman, skopeo, and skupper-cli.
How can I fix the vulnerability in the go package?
You can fix the vulnerability in the go package by updating it to version 1.19.2 or higher.
Is there any additional information about CVE-2022-2879?
Yes, you can find additional information about CVE-2022-2879 in the references provided.
- agent/author
- agent/description
- agent/event
- agent/first-publish-date
- agent/last-modified-date
- agent/references
- agent/remedy
- agent/severity
- agent/softwarecombine
- agent/tags
- agent/title
- agent/type
- agent/weakness
- collector/mitre-cve
- collector/nvd-api
- collector/nvd-index
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2022-2879
- agent/software-canonical-lookup
- collector/redhat-cve
- vendor/golang
- canonical/golang go
- version/golang go/1.19.0
- package-manager/redhat