Resource exhaustion in Go programming language

#VU62038 Resource exhaustion in Go programming language

Published: 2022-04-10

Vulnerability identifier: #VU62038

Vulnerability risk: Medium

CVSSv3.1:

CVE-ID: CVE-2022-23772

CWE-ID: CWE-400

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Go programming language
Universal components / Libraries / Scripting languages

Vendor: Google

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to application does not properly control consumption of internal resources within the Rat.SetString(0 function in math/big. A remote attacker can trigger resource exhaustion and perform a denial of service (DoS) attack.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

Go programming language: 1.17 - 1.17.6, 1.16 - 1.16.13

CPE

cpe:2.3:a:google:golang:1.17.6:*:*:*:*:*:*:*

External links
http://groups.google.com/g/golang-announce/c/SUsQn0aSgPQ
http://security.netapp.com/advisory/ntap-20220225-0006/

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

Latest bulletins with this vulnerability

Multiple vulnerabilities in Service Telemetry Framework

Amazon Linux AMI update for golang

Multiple vulnerabilities in OpenShift Virtualization 4.12

IBM Watson Speech Services Cartridge for IBM Cloud Pak for Data update for Go

Multiple vulnerabilities in Netcool Operations Insight

Multiple vulnerabilities in IBM Cloud Transformation Advisor

Multiple vulnerabilities in OpenShift Virtualization

Multiple vulnerabilities in OpenShift Container Platform 4.11

Multiple vulnerabilities in IBM Robotic Process Automation for Cloud Pak

Multiple vulnerabilities in Red Hat OpenShift Data Foundation