SUSE update for go1.17

1) Incorrect Regular Expression

EUVDB-ID: #VU61227

Risk: Medium

CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2022-24921

CWE-ID: CWE-185 - Incorrect Regular Expression

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to an error in regexp.Compile in Go. A remote attacker can pass specially crafted input to the application and perform regular expression denial of service (ReDoS) attack.

Mitigation

Update the affected package go1.17 to the latest version.

Vulnerable software versions

SUSE Linux Enterprise Realtime Extension: 15-SP2

SUSE Linux Enterprise Server: 15-SP2-BCL - 15-SP4

SUSE Linux Enterprise High Performance Computing: 15-SP2-ESPOS - 15-SP4

SUSE Enterprise Storage: 7.1

SUSE Linux Enterprise Module for Development Tools: 15-SP3 - 15-SP4

SUSE Manager Server: 4.1 - 4.2

SUSE Manager Retail Branch Server: 4.1

SUSE Manager Proxy: 4.1 - 4.2

SUSE Linux Enterprise Server for SAP: 15-SP2

SUSE Linux Enterprise Desktop: 15-SP3 - 15-SP4

openSUSE Leap: 15.3 - 15.4

SUSE Linux Enterprise Server for SAP Applications: 15-SP3 - 15-SP4

go1.17-race: before 1.17.8-150000.1.25.1

go1.17-doc: before 1.17.8-150000.1.25.1

go1.17: before 1.17.8-150000.1.25.1

CPE2.3

• cpe:2.3:o:suse:suse_linux_enterprise_realtime_extension:15-SP2:*:*:*:*:*:*:*
• cpe:2.3:o:suse:suse_linux_enterprise_server:15-SP2-BCL:*:*:*:*:*:*:*
• cpe:2.3:o:suse:suse_linux_enterprise_server:15-SP2-LTSS:*:*:*:*:*:*:*
• cpe:2.3:o:suse:suse_linux_enterprise_server:15-SP3-LTSS:*:*:*:*:*:*:*
• cpe:2.3:o:suse:suse_linux_enterprise_high_performance_computing:15-SP2-ESPOS:*:*:*:*:*:*:*
• cpe:2.3:o:suse:suse_linux_enterprise_high_performance_computing:15-SP2-LTSS:*:*:*:*:*:*:*
• cpe:2.3:o:suse:suse_linux_enterprise_high_performance_computing:15-SP3-LTSS:*:*:*:*:*:*:*
• cpe:2.3:o:suse:suse_enterprise_storage:7.1:*:*:*:*:*:*:*
• cpe:2.3:o:suse:suse_linux_enterprise_module_for_development_tools:15-SP3:*:*:*:*:*:*:*
• cpe:2.3:o:suse:suse_linux_enterprise_module_for_development_tools:15-SP4:*:*:*:*:*:*:*
• cpe:2.3:o:suse:suse_manager_server:4.1:*:*:*:*:*:*:*
• cpe:2.3:o:suse:suse_manager_retail_branch_server:4.1:*:*:*:*:*:*:*
• cpe:2.3:o:suse:suse_manager_proxy:4.1:*:*:*:*:*:*:*
• cpe:2.3:o:suse:suse_linux_enterprise_server_for_sap:15-SP2:*:*:*:*:*:*:*
• cpe:2.3:o:suse:suse_linux_enterprise_desktop:15-SP3:*:*:*:*:*:*:*
• cpe:2.3:o:suse:opensuse_leap:15.3:*:*:*:*:*:*:*
• cpe:2.3:o:suse:suse_linux_enterprise_server_for_sap_applications:15-SP3:*:*:*:*:*:*:*
• cpe:2.3:a:suse:go1.17-race:*:*:*:*:*:suse_linux:*:*
• cpe:2.3:a:suse:go1.17-doc:*:*:*:*:*:suse_linux:*:*
• cpe:2.3:a:suse:go1.17:*:*:*:*:*:suse_linux:*:*

External links

https://www.suse.com/support/update/announcement/2022/suse-su-20221167-1/

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.