Bug 1200528 (CVE-2022-1996) - VUL-0: CVE-2022-1996: go-restful: CORS bypass
Summary: VUL-0: CVE-2022-1996: go-restful: CORS bypass
Status: NEW
Alias: CVE-2022-1996
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P3 - Medium : Normal
Target Milestone: ---
Assignee: Containers Team
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/334051/
Whiteboard: CVSSv3.1:SUSE:CVE-2022-1996:9.1:(AV:N...
Keywords:
Depends on:
Blocks:
 
Reported: 2022-06-14 15:05 UTC by Carlos López
Modified: 2024-03-07 12:30 UTC (History)
20 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---
gianluca.gabrielli: needinfo? (fcastelli)
gianluca.gabrielli: needinfo? (public-cloud-maintainers)
gianluca.gabrielli: needinfo? (jmassaguerpla)


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Comment 1 Carlos López 2022-06-14 15:05:26 UTC
There are a lot of Go packages embedding this library and containing the affected code. The ones that I could find:

 - SUSE:SLE-12:Update/containerd
 - openSUSE:Factory/containerd

 - SUSE:SLE-15-SP2:Update/containerized-data-importer
 - SUSE:SLE-15-SP3:Update/containerized-data-importer
 - SUSE:SLE-15-SP4:Update/containerized-data-importer
 - openSUSE:Factory/containerized-data-importer

 - SUSE:SLE-15-SP1:Update:Products:CASP40:Update/cri-o
 - openSUSE:Factory/cri-o
 - openSUSE:Leap:15.3/cri-o
 - openSUSE:Leap:15.4/cri-o

 - SUSE:SLE-15-SP1:Update:Products:CASP40:Update/helm3

 - SUSE:SLE-12:Update/kubernetes
 - SUSE:SLE-15-SP1:Update:Products:CASP40:Update/kubernetes

 - openSUSE:Backports:SLE-15-SP3/flannel
 - openSUSE:Backports:SLE-15-SP4/flannel

 - SUSE:SLE-15:Update/aws-iam-authenticator

 - SUSE:SLE-15-SP1:Update:Products:CASP40:Update/skuba

 - SUSE:SLE-15-SP1:Update:Products:SES6:Update/rook
 - SUSE:SLE-15-SP2:Update:Products:SES7:Update/rook

 - openSUSE:Backports:SLE-15-SP3/ceph-csi

 - SUSE:SLE-15-SP2:Update/terraform-provider-kubernetes

 - SUSE:SLE-15-SP1:Update/terraform-provider-helm
 - SUSE:SLE-15-SP2:Update/terraform-provider-helm
Comment 3 Robert Schweikert 2022-06-15 18:49:05 UTC
Public Cloud team will take responsibility for

aws-iam-authenticator
terraform-provider-kubernetes
terraform-provider-helm

All other packages need to be distributed to other teams.
Comment 4 Michal Jura 2022-06-16 14:58:49 UTC
I will investigate it
Comment 5 Vasily Ulyanov 2022-07-07 04:55:14 UTC
`containerized-data-importer` is not affected. The vulnerable code is not used and eventually it is not linked into the binaries. Also `kubevirt` package depends on `go-restful`. It is not affected either (the code is not used).
Comment 6 Carlos López 2022-07-07 07:20:42 UTC
(In reply to Vasily Ulyanov from comment #5)
> `containerized-data-importer` is not affected. The vulnerable code is not
> used and eventually it is not linked into the binaries. Also `kubevirt`
> package depends on `go-restful`. It is not affected either (the code is not
> used).

Thanks, I've updated the tracking
Comment 9 OBSbugzilla Bot 2022-08-10 22:40:06 UTC
This is an autogenerated message for OBS integration:
This bug (1200528) was mentioned in
https://build.opensuse.org/request/show/994401 Factory / helm
Comment 21 Swamp Workflow Management 2022-09-20 19:19:38 UTC
SUSE-SU-2022:3321-1: An update that solves three vulnerabilities and has two fixes is now available.

Category: security (important)
Bug References: 1199392,1199460,1199603,1200528,1202516
CVE References: CVE-2022-1798,CVE-2022-1996,CVE-2022-29162
JIRA References: 
Sources used:
openSUSE Leap 15.3 (src):    kubevirt-0.49.0-150300.8.13.1
SUSE Linux Enterprise Module for Containers 15-SP3 (src):    kubevirt-0.49.0-150300.8.13.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 22 Swamp Workflow Management 2022-09-22 10:20:11 UTC
SUSE-SU-2022:3335-1: An update that fixes one vulnerability is now available.

Category: security (important)
Bug References: 1200528
CVE References: CVE-2022-1996
JIRA References: 
Sources used:
openSUSE Leap 15.3 (src):    containerized-data-importer-1.43.2-150300.8.9.3
SUSE Linux Enterprise Module for Containers 15-SP3 (src):    containerized-data-importer-1.43.2-150300.8.9.3

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 23 Swamp Workflow Management 2022-09-22 10:21:05 UTC
SUSE-SU-2022:3333-1: An update that solves three vulnerabilities and has two fixes is now available.

Category: security (important)
Bug References: 1199392,1199460,1199603,1200528,1202516
CVE References: CVE-2022-1798,CVE-2022-1996,CVE-2022-29162
JIRA References: 
Sources used:
openSUSE Leap 15.4 (src):    kubevirt-0.54.0-150400.3.3.2
SUSE Linux Enterprise Module for Containers 15-SP4 (src):    kubevirt-0.54.0-150400.3.3.2

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 24 Swamp Workflow Management 2022-09-22 10:21:51 UTC
SUSE-SU-2022:3334-1: An update that fixes one vulnerability is now available.

Category: security (important)
Bug References: 1200528
CVE References: CVE-2022-1996
JIRA References: 
Sources used:
openSUSE Leap 15.4 (src):    containerized-data-importer-1.51.0-150400.4.3.1
SUSE Linux Enterprise Module for Containers 15-SP4 (src):    containerized-data-importer-1.51.0-150400.4.3.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 26 Swamp Workflow Management 2022-10-19 22:26:09 UTC
SUSE-SU-2022:3666-1: An update that fixes two vulnerabilities is now available.

Category: security (important)
Bug References: 1200528,1203054
CVE References: CVE-2022-1996,CVE-2022-36055
JIRA References: 
Sources used:
openSUSE Leap 15.4 (src):    helm-3.9.4-150000.1.10.3
openSUSE Leap 15.3 (src):    helm-3.9.4-150000.1.10.3
SUSE Linux Enterprise Module for Packagehub Subpackages 15-SP4 (src):    helm-3.9.4-150000.1.10.3
SUSE Linux Enterprise Module for Packagehub Subpackages 15-SP3 (src):    helm-3.9.4-150000.1.10.3
SUSE Linux Enterprise Module for Containers 15-SP4 (src):    helm-3.9.4-150000.1.10.3
SUSE Linux Enterprise Module for Containers 15-SP3 (src):    helm-3.9.4-150000.1.10.3

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 33 Stoyan Manolov 2023-01-10 16:16:28 UTC
Any updates, please? We are still missing fixes for the following:

- SUSE:SLE-15-SP1:Update:Products:CASP40:Update/cri-o
- SUSE:SLE-15-SP1:Update:Products:CASP40:Update/helm3
- SUSE:SLE-12:Update/kubernetes
- SUSE:SLE-15-SP1:Update:Products:CASP40:Update/kubernetes
- SUSE:SLE-15-SP1:Update:Products:CASP40:Update/skuba

- SUSE:SLE-15:Update/aws-iam-authenticator
- SUSE:SLE-15-SP1:Update/terraform-provider-helm
- SUSE:SLE-15-SP2:Update/terraform-provider-helm
- SUSE:SLE-15-SP1:Update/terraform-provider-kubernetes
- SUSE:SLE-15-SP2:Update/terraform-provider-kubernetes
Comment 34 OBSbugzilla Bot 2023-02-21 11:25:06 UTC
This is an autogenerated message for OBS integration:
This bug (1200528) was mentioned in
https://build.opensuse.org/request/show/1066971 Backports:SLE-15-SP4 / helm
Comment 37 Petr Gajdos 2023-04-11 10:26:09 UTC
Package submitted:
https://build.suse.de/request/show/294215
Comment 44 Maintenance Automation 2023-04-25 20:30:10 UTC
SUSE-SU-2023:2002-1: An update that solves one vulnerability can now be installed.

Category: security (critical)
Bug References: 1200528
CVE References: CVE-2022-1996
Sources used:
SUSE CaaS Platform 4.0 (src): helm-2.16.12-150100.3.17.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 54 Maintenance Automation 2023-12-12 12:30:01 UTC
SUSE-SU-2023:4727-1: An update that solves one vulnerability can now be installed.

Category: security (important)
Bug References: 1200528
CVE References: CVE-2022-1996
Sources used:
openSUSE Leap Micro 5.3 (src): containerd-1.7.8-150000.103.1, runc-1.1.10-150000.55.1
openSUSE Leap Micro 5.4 (src): containerd-1.7.8-150000.103.1, runc-1.1.10-150000.55.1
openSUSE Leap 15.4 (src): containerd-1.7.8-150000.103.1, runc-1.1.10-150000.55.1
openSUSE Leap 15.5 (src): containerd-1.7.8-150000.103.1, runc-1.1.10-150000.55.1
SUSE Linux Enterprise Micro for Rancher 5.3 (src): containerd-1.7.8-150000.103.1, runc-1.1.10-150000.55.1
SUSE Linux Enterprise Micro 5.3 (src): containerd-1.7.8-150000.103.1, runc-1.1.10-150000.55.1
SUSE Linux Enterprise Micro for Rancher 5.4 (src): containerd-1.7.8-150000.103.1, runc-1.1.10-150000.55.1
SUSE Linux Enterprise Micro 5.4 (src): containerd-1.7.8-150000.103.1, runc-1.1.10-150000.55.1
SUSE Linux Enterprise Micro 5.5 (src): containerd-1.7.8-150000.103.1, runc-1.1.10-150000.55.1
Containers Module 15-SP4 (src): containerd-1.7.8-150000.103.1, runc-1.1.10-150000.55.1
Containers Module 15-SP5 (src): containerd-1.7.8-150000.103.1, runc-1.1.10-150000.55.1
SUSE Linux Enterprise High Performance Computing 15 SP1 LTSS 15-SP1 (src): catatonit-0.2.0-150000.3.6.1, containerd-1.7.8-150000.103.1, runc-1.1.10-150000.55.1
SUSE Linux Enterprise High Performance Computing 15 SP2 LTSS 15-SP2 (src): catatonit-0.2.0-150000.3.6.1, containerd-1.7.8-150000.103.1, runc-1.1.10-150000.55.1
SUSE Linux Enterprise High Performance Computing ESPOS 15 SP3 (src): containerd-1.7.8-150000.103.1, runc-1.1.10-150000.55.1
SUSE Linux Enterprise High Performance Computing LTSS 15 SP3 (src): containerd-1.7.8-150000.103.1, runc-1.1.10-150000.55.1
SUSE Linux Enterprise Server 15 SP1 LTSS 15-SP1 (src): catatonit-0.2.0-150000.3.6.1, containerd-1.7.8-150000.103.1, runc-1.1.10-150000.55.1
SUSE Linux Enterprise Server 15 SP2 LTSS 15-SP2 (src): catatonit-0.2.0-150000.3.6.1, containerd-1.7.8-150000.103.1, runc-1.1.10-150000.55.1
SUSE Linux Enterprise Server 15 SP3 LTSS 15-SP3 (src): containerd-1.7.8-150000.103.1, runc-1.1.10-150000.55.1
SUSE Linux Enterprise Server for SAP Applications 15 SP1 (src): catatonit-0.2.0-150000.3.6.1, containerd-1.7.8-150000.103.1, runc-1.1.10-150000.55.1
SUSE Linux Enterprise Server for SAP Applications 15 SP2 (src): catatonit-0.2.0-150000.3.6.1, containerd-1.7.8-150000.103.1, runc-1.1.10-150000.55.1
SUSE Linux Enterprise Server for SAP Applications 15 SP3 (src): containerd-1.7.8-150000.103.1, runc-1.1.10-150000.55.1
SUSE Enterprise Storage 7.1 (src): containerd-1.7.8-150000.103.1, runc-1.1.10-150000.55.1
SUSE CaaS Platform 4.0 (src): catatonit-0.2.0-150000.3.6.1, containerd-1.7.8-150000.103.1, runc-1.1.10-150000.55.1
SUSE Linux Enterprise Micro 5.1 (src): containerd-1.7.8-150000.103.1, runc-1.1.10-150000.55.1
SUSE Linux Enterprise Micro 5.2 (src): containerd-1.7.8-150000.103.1, runc-1.1.10-150000.55.1
SUSE Linux Enterprise Micro for Rancher 5.2 (src): containerd-1.7.8-150000.103.1, runc-1.1.10-150000.55.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 56 Maintenance Automation 2024-03-07 12:30:21 UTC
SUSE-SU-2024:0799-1: An update that solves one vulnerability can now be installed.

Category: security (critical)
Bug References: 1200528
CVE References: CVE-2022-1996
Sources used:
Containers Module 12 (src): containerd-1.7.8-16.91.7

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.