Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

x/vulndb: potential Go vuln in github.com/kubeedge/kubeedge: CVE-2022-31079 #511

Closed
GoVulnBot opened this issue Jul 11, 2022 · 3 comments
Closed

x/vulndb: potential Go vuln in github.com/kubeedge/kubeedge: CVE-2022-31079 #511

GoVulnBot opened this issue Jul 11, 2022 · 3 comments
Assignees
@neild
Labels
excluded: EFFECTIVELY_PRIVATE This vulnerability exists in a package can be imported, but isn't meant to be outside that module.

Comments

@GoVulnBot
Copy link

CVE-2022-31079 references github.com/kubeedge/kubeedge, which may be a Go module.

Description:
KubeEdge is an open source system for extending native containerized application orchestration capabilities to hosts at Edge. Prior to versions 1.11.1, 1.10.2, and 1.9.4, the Cloud Stream server and the Edge Stream server reads the entire message into memory without imposing a limit on the size of this message. An attacker can exploit this by sending a large message to exhaust memory and cause a DoS. The Cloud Stream server and the Edge Stream server are under DoS attack in this case. The consequence of the exhaustion is that the CloudCore and EdgeCore will be in a denial of service. Only an authenticated user can cause this issue. It will be affected only when users enable cloudStream module in the config file cloudcore.yaml and enable edgeStream module in the config file edgecore.yaml. This bug has been fixed in Kubeedge 1.11.1, 1.10.2, and 1.9.4. As a workaround, disable cloudStream module in the config file cloudcore.yaml and disable edgeStream module in the config file edgecore.yaml.

Links:

See doc/triage.md for instructions on how to triage this report.

packages:
  - module: github.com/kubeedge/kubeedge
    package: kubeedge
description: |
    KubeEdge is an open source system for extending native containerized application orchestration capabilities to hosts at Edge. Prior to versions 1.11.1, 1.10.2, and 1.9.4, the Cloud Stream server and the Edge Stream server reads the entire message into memory without imposing a limit on the size of this message. An attacker can exploit this by sending a large message to exhaust memory and cause a DoS. The Cloud Stream server and the Edge Stream server are under DoS attack in this case. The consequence of the exhaustion is that the CloudCore and EdgeCore will be in a denial of service. Only an authenticated user can cause this issue. It will be affected only when users enable `cloudStream` module in the config file `cloudcore.yaml` and enable `edgeStream` module in the config file `edgecore.yaml`. This bug has been fixed in Kubeedge 1.11.1, 1.10.2, and 1.9.4. As a workaround, disable cloudStream module in the config file `cloudcore.yaml` and disable edgeStream module in the config file `edgecore.yaml`.
cves:
  - CVE-2022-31079
links:
    context:
      - https://github.com/kubeedge/kubeedge/security/advisories/GHSA-wrcr-x4qj-j543
@neild neild self-assigned this Jul 11, 2022
@neild
Copy link
Contributor

neild commented Jul 11, 2022

Vulnerability in tool.

@neild neild closed this as completed Jul 11, 2022
@neild neild added excluded: EFFECTIVELY_PRIVATE This vulnerability exists in a package can be imported, but isn't meant to be outside that module. and removed NotGoVuln labels Aug 10, 2022
@gopherbot
Copy link
Contributor

Change https://go.dev/cl/592768 mentions this issue: data/reports: unexclude 50 reports

@gopherbot
Copy link
Contributor

Change https://go.dev/cl/607220 mentions this issue: data/reports: unexclude 20 reports (18)

gopherbot pushed a commit that referenced this issue Aug 21, 2024
@tatianab @gopherbot
data/reports: unexclude 20 reports (18)
2c69a3a 
  - data/reports/GO-2022-0507.yaml
  - data/reports/GO-2022-0508.yaml
  - data/reports/GO-2022-0509.yaml
  - data/reports/GO-2022-0510.yaml
  - data/reports/GO-2022-0511.yaml
  - data/reports/GO-2022-0512.yaml
  - data/reports/GO-2022-0516.yaml
  - data/reports/GO-2022-0517.yaml
  - data/reports/GO-2022-0518.yaml
  - data/reports/GO-2022-0540.yaml
  - data/reports/GO-2022-0547.yaml
  - data/reports/GO-2022-0550.yaml
  - data/reports/GO-2022-0554.yaml
  - data/reports/GO-2022-0556.yaml
  - data/reports/GO-2022-0559.yaml
  - data/reports/GO-2022-0560.yaml
  - data/reports/GO-2022-0561.yaml
  - data/reports/GO-2022-0562.yaml
  - data/reports/GO-2022-0566.yaml
  - data/reports/GO-2022-0570.yaml

Updates #507
Updates #508
Updates #509
Updates #510
Updates #511
Updates #512
Updates #516
Updates #517
Updates #518
Updates #540
Updates #547
Updates #550
Updates #554
Updates #556
Updates #559
Updates #560
Updates #561
Updates #562
Updates #566
Updates #570

Change-Id: I3197ea86e01d2ed4ae9e7f17dbd7a3e495c903e4
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/607220
Reviewed-by: Damien Neil <dneil@google.com>
Auto-Submit: Tatiana Bradley <tatianabradley@google.com>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@neild neild

Labels
excluded: EFFECTIVELY_PRIVATE This vulnerability exists in a package can be imported, but isn't meant to be outside that module.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@neild @gopherbot @GoVulnBot