QID 354094

Date Published: 2022-10-25

QID 354094: Amazon Linux Security Advisory for golang-github-gorilla-context : ALAS2-2022-1859

a flaw was found in golang.
The http/1 client accepted invalid transfer-encoding headers indicating "chunked" encoding.
This issue could allow request smuggling, but only if combined with an intermediate server that also improperly accepts the header as invalid. (
( CVE-2022-1705) a flaw was found in the golang standard library, go/parser.
When calling any parse functions on the go source code, which contains deeply nested types or declarations, a panic can occur due to stack exhaustion.
This issue allows an attacker to impact system availability. (
( CVE-2022-1962) authorization bypass through user-controlled key in github repository emicklei/go-restful prior to v3.8.0. (
( CVE-2022-1996) a buffer overflow flaw was found in golangs library encoding/pem.
This flaw allows an attacker to use a large pem input (more than 5 mb) ), causing a stack overflow in decode, which leads to a loss of availability. (
( CVE-2022-24675) a broken cryptographic algorithm flaw was found in golang.org/x/crypto/ssh.
This issue causes a client to fail authentification with rsa keys to servers that reject signature algorithms based on sha-2, enabling an attacker to crash the server, resulting in a loss of availability. (
( CVE-2022-27191) in net/http in go before 1.18.6 and 1.19.x before 1.19.1, attackers can cause a denial of service because an http/2 connection can hang during closing if shutdown were preempted by a fatal error. (
( CVE-2022-27664) a flaw was found in golang encoding/xml.
When calling decoder.
Skip while parsing a deeply nested xml document, a panic can occur due to stack exhaustion and allows an attacker to impact system availability. (
Calling the reader.
Reverseproxy.

Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.

Successful exploitation of this vulnerability could lead to a securitybreach or could affect integrity, availability, and confidentiality.

CVSS V3 rated as Critical - 9.1 severity.

CVSS V2 rated as High - 6.4 severity.

Solution

Please refer to Amazon advisory: ALAS2-2022-1859 for affected packages and patching details, or update with your package manager.

Vendor References

ALAS2-2022-1859 - alas.aws.amazon.com/AL2/ALAS-2022-1859.html

CVEs related to QID 354094

CVE-2022-30632 | CVE-2022-32148 | CVE-2022-30635 | CVE-2022-27191 | CVE-2022-29526 | CVE-2022-1705 | CVE-2022-27664 | CVE-2022-28131 | CVE-2022-30631 | CVE-2022-1996 | CVE-2022-1962 | CVE-2022-28327 | CVE-2022-30629 | CVE-2022-30633 | CVE-2022-30630 | CVE-2022-24675 |

Software Advisories

Advisory ID	Software	Component	Link
ALAS2-2022-1859	Amazon Linux 2		alas.aws.amazon.com/AL2/ALAS-2022-1859.html

By selecting these links, you may be leaving CVEreport webspace. We have provided these links to other websites because they may have information that would be of interest to you. No inferences should be drawn on account of other sites being referenced, or not, from this page. There may be other websites that are more appropriate for your purpose. CVEreport does not necessarily endorse the views expressed, or concur with the facts presented on these sites. Further, CVEreport does not endorse any commercial products that may be mentioned on these sites. Please address comments about any linked pages to [email protected].