Bugzilla – Bug 1203054
VUL-0: CVE-2022-36055: helm3,helm: denial of service through string value parsing
Last modified: 2022-12-08 10:38:14 UTC
CVE-2022-36055 Helm is a tool for managing Charts. Charts are packages of pre-configured Kubernetes resources. Fuzz testing, provided by the CNCF, identified input to functions in the _strvals_ package that can cause an out of memory panic. The _strvals_ package contains a parser that turns strings in to Go structures. The _strvals_ package converts these strings into structures Go can work with. Some string inputs can cause array data structures to be created causing an out of memory panic. Applications that use the _strvals_ package in the Helm SDK to parse user supplied input can suffer a Denial of Service when that input causes a panic that cannot be recovered from. The Helm Client will panic with input to `--set`, `--set-string`, and other value setting flags that causes an out of memory panic. Helm is not a long running service so the panic will not affect future uses of the Helm client. This issue has been resolved in 3.9.4. SDK users can validate strings supplied by users won't create large arrays causing significant memory usage before passing them to the _strvals_ functions. Upstream fix: https://github.com/helm/helm/commit/10466e3e179cc8cad4b0bb451108d3c442c69fbc References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-36055 https://www.cve.org/CVERecord?id=CVE-2022-36055 https://github.com/helm/helm/releases/tag/v3.9.4 https://github.com/helm/helm/security/advisories/GHSA-7hfp-qfw3-5jxh
Tracking as affected: - SUSE:SLE-15:Update/helm - SUSE:SLE-15-SP1:Update:Products:CASP40:Update/helm3
Fixed helm in openSUSE:Factory (actually already a few weeks ago) and SUSE:SLE-15:Update. reassigning for helm3.
This is an autogenerated message for OBS integration: This bug (1203054) was mentioned in https://build.opensuse.org/request/show/1002901 Factory / helm
SUSE-SU-2022:3530-1: An update that fixes one vulnerability is now available. Category: security (important) Bug References: 1203054 CVE References: CVE-2022-36055 JIRA References: Sources used: SUSE CaaS Platform 4.0 (src): helm3-3.3.3-150100.1.7.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2022:3666-1: An update that fixes two vulnerabilities is now available. Category: security (important) Bug References: 1200528,1203054 CVE References: CVE-2022-1996,CVE-2022-36055 JIRA References: Sources used: openSUSE Leap 15.4 (src): helm-3.9.4-150000.1.10.3 openSUSE Leap 15.3 (src): helm-3.9.4-150000.1.10.3 SUSE Linux Enterprise Module for Packagehub Subpackages 15-SP4 (src): helm-3.9.4-150000.1.10.3 SUSE Linux Enterprise Module for Packagehub Subpackages 15-SP3 (src): helm-3.9.4-150000.1.10.3 SUSE Linux Enterprise Module for Containers 15-SP4 (src): helm-3.9.4-150000.1.10.3 SUSE Linux Enterprise Module for Containers 15-SP3 (src): helm-3.9.4-150000.1.10.3 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.