CVE-2022-29177 DoS via malicious p2p message in Go-Ethereum

2022-05-2016:20:10

CWE-400

GitHub_M

www.cve.org

cve-2022-29177

dos

malicious message

go-ethereum

golang

ethereum protocol

p2p

vulnerability

logging

attacker

patch

CVSS3

5.9

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

EPSS

0.001

Percentile

39.2%

JSON

Go Ethereum is the official Golang implementation of the Ethereum protocol. Prior to version 1.10.17, a vulnerable node, if configured to use high verbosity logging, can be made to crash when handling specially crafted p2p messages sent from an attacker node. Version 1.10.17 contains a patch that addresses the problem. As a workaround, setting loglevel to default level (INFO) makes the node not vulnerable to this attack.

CNA Affected

[
  {
    "product": "go-ethereum",
    "vendor": "ethereum",
    "versions": [
      {
        "status": "affected",
        "version": "< 1.10.17"
      }
    ]
  }
]