Bug 1203054 - (CVE-2022-36055) VUL-0: CVE-2022-36055: helm3,helm: denial of service through string value parsing
(CVE-2022-36055)
VUL-0: CVE-2022-36055: helm3,helm: denial of service through string value par...
Status: IN_PROGRESS
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Major
: ---
Assigned To: Security Team bot
Security Team bot
https://smash.suse.de/issue/341354/
CVSSv3.1:SUSE:CVE-2022-36055:7.5:(AV:...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2022-09-02 08:36 UTC by Thomas Leroy
Modified: 2022-12-08 10:38 UTC (History)
3 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---
gabriele.sonnu: needinfo? (coldpool)


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Thomas Leroy 2022-09-02 08:36:06 UTC
CVE-2022-36055

Helm is a tool for managing Charts. Charts are packages of pre-configured
Kubernetes resources. Fuzz testing, provided by the CNCF, identified input to
functions in the _strvals_ package that can cause an out of memory panic. The
_strvals_ package contains a parser that turns strings in to Go structures. The
_strvals_ package converts these strings into structures Go can work with. Some
string inputs can cause array data structures to be created causing an out of
memory panic. Applications that use the _strvals_ package in the Helm SDK to
parse user supplied input can suffer a Denial of Service when that input causes
a panic that cannot be recovered from. The Helm Client will panic with input to
`--set`, `--set-string`, and other value setting flags that causes an out of
memory panic. Helm is not a long running service so the panic will not affect
future uses of the Helm client. This issue has been resolved in 3.9.4. SDK users
can validate strings supplied by users won't create large arrays causing
significant memory usage before passing them to the _strvals_ functions.

Upstream fix:
https://github.com/helm/helm/commit/10466e3e179cc8cad4b0bb451108d3c442c69fbc

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-36055
https://www.cve.org/CVERecord?id=CVE-2022-36055
https://github.com/helm/helm/releases/tag/v3.9.4
https://github.com/helm/helm/security/advisories/GHSA-7hfp-qfw3-5jxh
Comment 1 Thomas Leroy 2022-09-02 08:36:53 UTC
Tracking as affected:
- SUSE:SLE-15:Update/helm
- SUSE:SLE-15-SP1:Update:Products:CASP40:Update/helm3
Comment 2 Dirk Mueller 2022-09-12 11:50:18 UTC
Fixed helm in openSUSE:Factory (actually already a few weeks ago) and SUSE:SLE-15:Update. reassigning for helm3.
Comment 4 OBSbugzilla Bot 2022-09-12 12:25:03 UTC
This is an autogenerated message for OBS integration:
This bug (1203054) was mentioned in
https://build.opensuse.org/request/show/1002901 Factory / helm
Comment 8 Swamp Workflow Management 2022-10-05 19:19:23 UTC
SUSE-SU-2022:3530-1: An update that fixes one vulnerability is now available.

Category: security (important)
Bug References: 1203054
CVE References: CVE-2022-36055
JIRA References: 
Sources used:
SUSE CaaS Platform 4.0 (src):    helm3-3.3.3-150100.1.7.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 9 Swamp Workflow Management 2022-10-19 22:26:15 UTC
SUSE-SU-2022:3666-1: An update that fixes two vulnerabilities is now available.

Category: security (important)
Bug References: 1200528,1203054
CVE References: CVE-2022-1996,CVE-2022-36055
JIRA References: 
Sources used:
openSUSE Leap 15.4 (src):    helm-3.9.4-150000.1.10.3
openSUSE Leap 15.3 (src):    helm-3.9.4-150000.1.10.3
SUSE Linux Enterprise Module for Packagehub Subpackages 15-SP4 (src):    helm-3.9.4-150000.1.10.3
SUSE Linux Enterprise Module for Packagehub Subpackages 15-SP3 (src):    helm-3.9.4-150000.1.10.3
SUSE Linux Enterprise Module for Containers 15-SP4 (src):    helm-3.9.4-150000.1.10.3
SUSE Linux Enterprise Module for Containers 15-SP3 (src):    helm-3.9.4-150000.1.10.3

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.