Lucene search

K
redhatRedHatRHSA-2023:2204
HistoryMay 09, 2023 - 5:03 a.m.

(RHSA-2023:2204) Moderate: Image Builder security, bug fix, and enhancement update

2023-05-0905:03:19
access.redhat.com
26
image builder
security fix
bug fix
enhancement
update
golang
net/http
memory consumption
reverse proxy
server errors
regexps
cvss score
rhel 9.2

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

EPSS

0.003

Percentile

68.9%

Image Builder is a service for building customized OS artifacts, such as VM images and OSTree commits, that uses osbuild under the hood.

Security Fix(es):

  • golang: archive/tar: unbounded memory consumption when reading headers (CVE-2022-2879)

  • golang: net/http/httputil: ReverseProxy should not forward unparseable query parameters (CVE-2022-2880)

  • golang: net/http: handle server errors after sending GOAWAY (CVE-2022-27664)

  • golang: regexp/syntax: limit memory used by parsing regexps (CVE-2022-41715)

  • golang: net/http: An attacker can cause excessive memory growth in a Go server accepting HTTP/2 requests (CVE-2022-41717)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Additional Changes:

For detailed information on changes in this release, see the Red Hat Enterprise Linux 9.2 Release Notes linked from the References section.

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

EPSS

0.003

Percentile

68.9%