QID 354566

QID 354566: Amazon Linux Security Advisory for golang : ALAS-2022-193

a flaw was found in golang.
The http/1 client accepted invalid transfer-encoding headers indicating "chunked" encoding.
This issue could allow request smuggling, but only if combined with an intermediate server that also improperly accepts the header as invalid. (
( CVE-2022-1705) a flaw was found in the golang standard library, go/parser.
When calling any parse functions on the go source code, which contains deeply nested types or declarations, a panic can occur due to stack exhaustion.
This issue allows an attacker to impact system availability. (
( CVE-2022-1962) in net/http in go before 1.18.6 and 1.19.x before 1.19.1, attackers can cause a denial of service because an http/2 connection can hang during closing if shutdown were preempted by a fatal error. (
( CVE-2022-27664) a flaw was found in golang encoding/xml.
When calling decoder.
Skip while parsing a deeply nested xml document, a panic can occur due to stack exhaustion and allows an attacker to impact system availability. (
( CVE-2022-28131) a flaw was found in the golang standard library, io/fs.
Calling glob on a path that contains a large number of path separators can cause a panic issue due to stack exhaustion.
This could allow an attacker to impact availability. (
( CVE-2022-30630) a flaw was found in golang.
Calling the reader.
Read method on an archive that contains a large number of concatenated 0-length compressed files can cause a panic issue due to stack exhaustion. (
( CVE-2022-30631) a flaw was found in golang.
This can cause an attacker to impact availability. (
( CVE-2022-30633) a flaw was found in golang.
Reverseproxy.
Servehttp with a request.
( CVE-2022-32190)

Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.

Successful exploitation of this vulnerability could lead to a securitybreach or could affect integrity, availability, and confidentiality.

CVSS V3 rated as Critical - 9.8 severity.

CVSS V2 rated as High - 7.5 severity.

Solution

Please refer to Amazon advisory: ALAS-2022-193 for affected packages and patching details, or update with your package manager.

Vendor References

ALAS-2022-193 - alas.aws.amazon.com/AL2022/ALAS-2022-193.html

CVEs related to QID 354566

CVE-2022-28131 | CVE-2022-1705 | CVE-2022-32148 | CVE-2021-41771 | CVE-2022-30633 | CVE-2021-44716 | CVE-2022-30632 | CVE-2021-41772 | CVE-2022-1962 | CVE-2022-27191 | CVE-2022-29526 | CVE-2022-28327 | CVE-2022-32190 | CVE-2022-30630 | CVE-2022-30629 | CVE-2022-1996 | CVE-2021-44717 | CVE-2022-30631 | CVE-2022-30635 | CVE-2021-38297 | CVE-2022-32189 | CVE-2021-33196 | CVE-2022-24675 | CVE-2022-27664 |

Software Advisories

Advisory ID	Software	Component	Link
ALAS-2022-193	amazon linux 2022		alas.aws.amazon.com/AL2022/ALAS-2022-193.html

By selecting these links, you may be leaving CVEreport webspace. We have provided these links to other websites because they may have information that would be of interest to you. No inferences should be drawn on account of other sites being referenced, or not, from this page. There may be other websites that are more appropriate for your purpose. CVEreport does not necessarily endorse the views expressed, or concur with the facts presented on these sites. Further, CVEreport does not endorse any commercial products that may be mentioned on these sites. Please address comments about any linked pages to [email protected].