First Last Prev Next    This bug is not in your last search results.
Bug 1206467 - (CVE-2022-23524) VUL-0: CVE-2022-23524: helm3,helm: Denial of service through string value parsing
(CVE-2022-23524)
VUL-0: CVE-2022-23524: helm3,helm: Denial of service through string value par...
Status: NEW
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Frederic Crozat
Security Team bot
https://smash.suse.de/issue/350923/
CVSSv3.1:SUSE:CVE-2022-23524:5.3:(AV:...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2022-12-16 09:15 UTC by Hu
Modified: 2023-02-21 11:25 UTC (History)
3 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---
stoyan.manolov: needinfo? (fcrozat)

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Hu 2022-12-16 09:15:52 UTC 
CVE-2022-23524

Helm is a tool for managing Charts, pre-configured Kubernetes resources.
Versions prior to 3.10.3 are subject to Uncontrolled Resource Consumption,
resulting in Denial of Service. Input to functions in the _strvals_ package can
cause a stack overflow. In Go, a stack overflow cannot be recovered from.
Applications that use functions from the _strvals_ package in the Helm SDK can
have a Denial of Service attack when they use this package and it panics. This
issue has been patched in 3.10.3. SDK users can validate strings supplied by
users won't create large arrays causing significant memory usage before passing
them to the _strvals_ functions.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-23524
https://www.cve.org/CVERecord?id=CVE-2022-23524
https://github.com/helm/helm/security/advisories/GHSA-6rx9-889q-vv2r
Comment 1 Hu 2022-12-16 09:16:31 UTC 
Affected:
- SUSE:SLE-15-SP1:Update:Products:CASP40:Update/helm   2.16.12
- SUSE:SLE-15-SP1:Update:Products:CASP40:Update/helm3  3.3.3  
- SUSE:SLE-15:Update/helm                              3.9.4  
- openSUSE:Backports:SLE-15-SP3/helm                   3.5.2  
- openSUSE:Backports:SLE-15-SP4/helm                   3.8.0  

Not Affected:
- openSUSE:Factory/helm                                3.10.3
Comment 3 Dirk Mueller 2022-12-16 09:47:26 UTC 
I can not update  openSUSE:Backports:SLE-15-SP3/SP4 anymore because that is overlapping with SUSE:SLE-15:Update/helm . 

I am not maintaining CASP.
Comment 4 Dirk Mueller 2022-12-16 09:49:40 UTC 
SUSE:SLE-15:Update submitted. Reassign to Frederic for coldpool / helm3
Comment 5 OBSbugzilla Bot 2022-12-16 10:25:03 UTC 
This is an autogenerated message for OBS integration:
This bug (1206467) was mentioned in
https://build.opensuse.org/request/show/1043303 Factory / helm
Comment 7 Swamp Workflow Management 2022-12-22 14:20:27 UTC 
SUSE-SU-2022:4606-1: An update that fixes 5 vulnerabilities is now available.

Category: security (moderate)
Bug References: 1181419,1206467,1206469,1206471
CVE References: CVE-2021-21272,CVE-2022-1996,CVE-2022-23524,CVE-2022-23525,CVE-2022-23526
JIRA References: 
Sources used:
openSUSE Leap 15.4 (src):    helm-3.10.3-150000.1.13.1
openSUSE Leap 15.3 (src):    helm-3.10.3-150000.1.13.1
SUSE Linux Enterprise Module for Packagehub Subpackages 15-SP4 (src):    helm-3.10.3-150000.1.13.1
SUSE Linux Enterprise Module for Containers 15-SP4 (src):    helm-3.10.3-150000.1.13.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 8 Hu 2023-01-05 08:35:01 UTC 
Hi Frederic, any updates here? Thanks :)
Comment 10 OBSbugzilla Bot 2023-02-21 11:25:10 UTC 
This is an autogenerated message for OBS integration:
This bug (1206467) was mentioned in
https://build.opensuse.org/request/show/1066971 Backports:SLE-15-SP4 / helm
First Last Prev Next    This bug is not in your last search results.