#VU72314 Resource exhaustion in yaml - CVE-2022-3064

Cybersecurity Help s.r.o.

Published: 2023-02-16

Vulnerability identifier: #VU72314

Vulnerability risk: Medium

CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2022-3064

CWE-ID: CWE-400

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
yaml
Universal components / Libraries / Libraries used by multiple products

Vendor: The YAML Project

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to application does not properly control consumption of internal resources when parsing large YAML documents. A remote attacker can consume excessive amounts of CPU or memory and perform a denial of service (DoS) attack.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

yaml: 2.0.0 - 2.2.3

External links
https://github.com/go-yaml/yaml/releases/tag/v2.2.4
https://pkg.go.dev/vuln/GO-2022-0956
https://github.com/go-yaml/yaml/commit/f221b8435cfb71e54062f6c6e99e9ade30b124d5
https://github.com/advisories/GHSA-6q6q-88xp-6f2r

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Anolis OS update for container-tools:an8 module

openEuler 22.03 LTS SP4 update for etcd

openEuler 22.03 LTS SP3 update for etcd

openEuler 20.03 LTS SP4 update for etcd

Red Hat Enterprise Linux 8 update for rhc

Red Hat Enterprise Linux 9 update for rhc

Multiple vulnerabilities in Red Hat OpenShift Dev Spaces

Multiple vulnerabilities in IBM Planning Analytics Connector for SAP

Multiple vulnerabilities in Red Hat OpenShift Container Platform 4.13

Red Hat Enterprise Linux 8 update for the container-tools:4.0 module