Bug 1206467 - (CVE-2022-23524) VUL-0: CVE-2022-23524: helm3,helm: Denial of service through string value parsing
VUL-0: CVE-2022-23524: helm3,helm: Denial of service through string value par...
Status: NEW
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Frederic Crozat
Security Team bot
Depends on:
  Show dependency treegraph
Reported: 2022-12-16 09:15 UTC by Hu
Modified: 2023-02-21 11:25 UTC (History)
3 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---
stoyan.manolov: needinfo? (fcrozat)


Note You need to log in before you can comment on or make changes to this bug.
Description Hu 2022-12-16 09:15:52 UTC

Helm is a tool for managing Charts, pre-configured Kubernetes resources.
Versions prior to 3.10.3 are subject to Uncontrolled Resource Consumption,
resulting in Denial of Service. Input to functions in the _strvals_ package can
cause a stack overflow. In Go, a stack overflow cannot be recovered from.
Applications that use functions from the _strvals_ package in the Helm SDK can
have a Denial of Service attack when they use this package and it panics. This
issue has been patched in 3.10.3. SDK users can validate strings supplied by
users won't create large arrays causing significant memory usage before passing
them to the _strvals_ functions.

Comment 1 Hu 2022-12-16 09:16:31 UTC
- SUSE:SLE-15-SP1:Update:Products:CASP40:Update/helm   2.16.12
- SUSE:SLE-15-SP1:Update:Products:CASP40:Update/helm3  3.3.3  
- SUSE:SLE-15:Update/helm                              3.9.4  
- openSUSE:Backports:SLE-15-SP3/helm                   3.5.2  
- openSUSE:Backports:SLE-15-SP4/helm                   3.8.0  

Not Affected:
- openSUSE:Factory/helm                                3.10.3
Comment 3 Dirk Mueller 2022-12-16 09:47:26 UTC
I can not update  openSUSE:Backports:SLE-15-SP3/SP4 anymore because that is overlapping with SUSE:SLE-15:Update/helm . 

I am not maintaining CASP.
Comment 4 Dirk Mueller 2022-12-16 09:49:40 UTC
SUSE:SLE-15:Update submitted. Reassign to Frederic for coldpool / helm3
Comment 5 OBSbugzilla Bot 2022-12-16 10:25:03 UTC
This is an autogenerated message for OBS integration:
This bug (1206467) was mentioned in
https://build.opensuse.org/request/show/1043303 Factory / helm
Comment 7 Swamp Workflow Management 2022-12-22 14:20:27 UTC
SUSE-SU-2022:4606-1: An update that fixes 5 vulnerabilities is now available.

Category: security (moderate)
Bug References: 1181419,1206467,1206469,1206471
CVE References: CVE-2021-21272,CVE-2022-1996,CVE-2022-23524,CVE-2022-23525,CVE-2022-23526
JIRA References: 
Sources used:
openSUSE Leap 15.4 (src):    helm-3.10.3-150000.1.13.1
openSUSE Leap 15.3 (src):    helm-3.10.3-150000.1.13.1
SUSE Linux Enterprise Module for Packagehub Subpackages 15-SP4 (src):    helm-3.10.3-150000.1.13.1
SUSE Linux Enterprise Module for Containers 15-SP4 (src):    helm-3.10.3-150000.1.13.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 8 Hu 2023-01-05 08:35:01 UTC
Hi Frederic, any updates here? Thanks :)
Comment 10 OBSbugzilla Bot 2023-02-21 11:25:10 UTC
This is an autogenerated message for OBS integration:
This bug (1206467) was mentioned in
https://build.opensuse.org/request/show/1066971 Backports:SLE-15-SP4 / helm