Lucene search

K
redhatRedHatRHSA-2023:1529
HistoryMar 30, 2023 - 12:41 a.m.

(RHSA-2023:1529) Moderate: Service Telemetry Framework 1.5 security update

2023-03-3000:41:11
access.redhat.com
17
service telemetry framework
stf
golang
security update
vulnerabilities
cve-2022-23806
cve-2022-23772
cve-2022-23773
cve-2022-24675
cve-2022-28327
cve-2022-29526
cve-2022-30631
cve-2022-30630
cve-2022-1705
cve-2022-30632
cve-2022-27664
cve-2022-41715
cve-2022-41717
cve-2022-30629
cve-2022-32189

CVSS2

7.8

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:N/I:N/A:C

CVSS3

9.1

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H

EPSS

0.006

Percentile

78.9%

Service Telemetry Framework (STF) provides automated collection of measurements and data from remote clients, such as Red Hat OpenStack Platform or third-party nodes. STF then transmits the information to a centralized, receiving Red Hat OpenShift Container Platform (OCP) deployment for storage, retrieval, and monitoring.

Security Fix(es):

  • golang: crypto/elliptic: IsOnCurve returns true for invalid field elements (CVE-2022-23806)

  • golang: math/big: uncontrolled memory consumption due to an unhandled overflow via Rat.SetString (CVE-2022-23772)

  • golang: cmd/go: misinterpretation of branch names can lead to incorrect access control (CVE-2022-23773)

  • golang: encoding/pem: fix stack overflow in Decode (CVE-2022-24675)

  • golang: crypto/elliptic: panic caused by oversized scalar (CVE-2022-28327)

  • golang: syscall: faccessat checks wrong group (CVE-2022-29526)

  • golang: compress/gzip: stack exhaustion in Reader.Read (CVE-2022-30631)

  • golang: io/fs: stack exhaustion in Glob (CVE-2022-30630)

  • golang: net/http: improper sanitization of Transfer-Encoding header (CVE-2022-1705)

  • golang: path/filepath: stack exhaustion in Glob (CVE-2022-30632)

  • golang: net/http: handle server errors after sending GOAWAY (CVE-2022-27664)

  • golang: regexp/syntax: limit memory used by parsing regexps (CVE-2022-41715)

  • golang: net/http: An attacker can cause excessive memory growth in a Go server accepting HTTP/2 requests (CVE-2022-41717)

  • golang: crypto/tls: session tickets lack random ticket_age_add (CVE-2022-30629)

  • golang: math/big: decoding big.Float and big.Rat types can panic if the encoded message is too short, potentially allowing a denial of service (CVE-2022-32189)

For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.

CVSS2

7.8

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:N/I:N/A:C

CVSS3

9.1

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H

EPSS

0.006

Percentile

78.9%