CVE-2024-24788: Malformed DNS message can cause infinite loop in net

Reference Links

• https://go.dev/cl/578375
• https://go.dev/issue/66754
• https://groups.google.com/g/golang-announce/c/wkkO4P9stm0
• https://pkg.go.dev/vuln/GO-2024-2824
• https://security.netapp.com/advisory/ntap-20240605-0002/
• https://security.netapp.com/advisory/ntap-20240614-0001/
• http://www.openwall.com/lists/oss-security/2024/05/08/3
• https://launchpad.net/bugs/cve/CVE-2024-24788
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-24788
• https://nvd.nist.gov/vuln/detail/CVE-2024-24788
• https://security-tracker.debian.org/tracker/CVE-2024-24788
• https://ubuntu.com/security/CVE-2024-24788
• https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2279815
• https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2279816
• https://access.redhat.com/errata/RHSA-2024:4697
• https://access.redhat.com/errata/RHSA-2024:4613
• https://access.redhat.com/errata/RHSA-2024:4616
• https://access.redhat.com/errata/RHSA-2024:4872
• https://access.redhat.com/errata/RHSA-2024:4982
• https://access.redhat.com/errata/RHSA-2024:5291
• https://access.redhat.com/errata/RHSA-2024:5547
• https://access.redhat.com/errata/RHSA-2024:6221
• https://access.redhat.com/errata/RHSA-2024:6462
• https://access.redhat.com/errata/RHSA-2024:6765
• https://access.redhat.com/errata/RHSA-2024:6969
• https://access.redhat.com/errata/RHSA-2024:7164
• https://access.redhat.com/errata/RHSA-2024:6341
• https://access.redhat.com/errata/RHSA-2024:9089
• https://access.redhat.com/errata/RHSA-2024:9098
• https://access.redhat.com/errata/RHSA-2024:9115
• https://access.redhat.com/errata/RHSA-2024:9135
• https://access.redhat.com/errata/RHSA-2024:9200
• https://access.redhat.com/errata/RHSA-2024:9277
• https://access.redhat.com/errata/RHSA-2024:9485
• https://bugzilla.redhat.com/show_bug.cgi?id=2279814
• https://github.com/golang/go/issues/66754
• https://go-review.googlesource.com/c/go/+/578375
• https://github.com/golang/go/commit/865760373194e358fefa4d1e45ebdf2141b77b59
• https://github.com/golang/go/commit/93d8777d244962d1b706c0b695c8b72e9702577e
• https://www.ibm.com/support/pages/node/7182403 (Advisory)

Parent vulnerabilities

(Appears in the following advisories)

• IBM-7182403

Frequently Asked Questions

• What is the severity of CVE-2024-24788?

  CVE-2024-24788 has been classified as a medium severity vulnerability due to its potential to cause an infinite loop in DNS message processing.

• How do I fix CVE-2024-24788?

  To remediate CVE-2024-24788, update IBM Concert Software to version 1.0.2 or higher, or ensure that affected Go packages are upgraded to their corresponding fixed versions.

• What software is affected by CVE-2024-24788?

  CVE-2024-24788 affects IBM Concert Software versions 1.0.0 to 1.0.1 and several Go package versions including Go 1.22.3 and earlier.

• What impact does CVE-2024-24788 have on systems?

  The impact of CVE-2024-24788 includes potential denial of service due to the affected Lookup functions getting stuck in an infinite loop.

• Where can I find more information about CVE-2024-24788?

  Detailed information regarding CVE-2024-24788 can be found in security advisories published by the respective vendors and cybersecurity communities.