GitHub Advisory DatabaseGHSA-9RPW-2H95-666CCloudflare GoFlow vulnerable to a Denial of Service in the sflow packet handling package
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS
Percentile
38.4%
Impact
The sflow decode package prior to version 3.4.4 does not employ sufficient packet sanitisation which can lead to a denial of service attack. Attackers can craft malformed packets causing the process to consume huge amounts of memory resulting in a denial of service.
Specific Go Packages Affected
github.com/cloudflare/goflow/v3/decoders/sflow
Patches
Version 3.4.4 contains patches fixing this.
Workarounds
A possible workaround is to not have your goflow collector publicly reachable.
For more information
If you have any questions or comments about this advisory:
- Open an issue in goflow repo
- Email us netdev[@]cloudflare.com
Affected configurations
| Vendor | Product | Version | CPE |
|---|---|---|---|
| cloudflare | goflow | * | cpe:2.3:a:cloudflare:goflow:*:*:*:*:*:*:*:* |
References
github.com/advisories/GHSA-9rpw-2h95-666c
github.com/cloudflare/goflow/commit/2b94619a6204443e3ca1769f4e459f9f57039c51
github.com/cloudflare/goflow/commit/c829ccd2c0aafdc9b886b20bf6f28095607f4998
github.com/cloudflare/goflow/releases/tag/v3.4.4
github.com/cloudflare/goflow/security/advisories/GHSA-9rpw-2h95-666c
nvd.nist.gov/vuln/detail/CVE-2022-2529
Related
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS
Percentile
38.4%