CVE-2022-2529 - OpenCVE

sflow decode package does not employ sufficient packet sanitisation which can lead to a denial of service attack. Attackers can craft malformed packets causing the process to consume large amounts of memory resulting in a denial of service.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

Vendors & Products
CPE Configurations

Vendors	Products
Cloudflare	Goflow

Configuration 1 [-]

cpe:2.3:a:cloudflare:goflow:*:*:*:*:*:*:*:*

References

Link	Resource
https://github.com/cloudflare/goflow/security/advisories/GHSA-9rpw-2h95-666c	Third Party Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: cloudflare

Published: 2022-09-30T10:45:11

Updated: 2022-09-30T10:45:11

Reserved: 2022-07-25T00:00:00

Link: CVE-2022-2529

JSON object: View

NVD Information

Status : Analyzed

Published: 2022-09-30T11:15:09.353

Modified: 2022-10-04T16:25:52.267

Link: CVE-2022-2529

JSON object: View

Redhat Information

No data.

CWE

{"containers": {"cna": {"affected": [{"platforms": ["Go"], "product": "goflow", "vendor": "Cloudflare", "versions": [{"lessThan": "3.4.4", "status": "affected", "version": "unspecified", "versionType": "custom"}]}], "credits": [{"lang": "en", "value": "Justin Timperio, Chase Hiltz"}], "descriptions": [{"lang": "en", "value": "sflow decode package does not employ sufficient packet sanitisation which can lead to a denial of service attack. Attackers can craft malformed packets causing the process to consume large amounts of memory resulting in a denial of service."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-20", "description": "CWE-20 Improper Input Validation", "lang": "en", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-400", "description": "CWE-400 Uncontrolled Resource Consumption", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2022-09-30T10:45:11", "orgId": "a22f1246-ba21-4bb4-a601-ad51614c1513", "shortName": "cloudflare"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://github.com/cloudflare/goflow/security/advisories/GHSA-9rpw-2h95-666c"}], "solutions": [{"lang": "en", "value": "Upgrade goflow at least to version 3.4.4"}], "source": {"discovery": "EXTERNAL"}, "title": "Multiple DoS Attack Vectors in sflow packet handling", "workarounds": [{"lang": "en", "value": "Make sure that the goflow collector is not publicly reachable."}], "x_generator": {"engine": "Vulnogram 0.0.9"}, "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cna@cloudflare.com", "ID": "CVE-2022-2529", "STATE": "PUBLIC", "TITLE": "Multiple DoS Attack Vectors in sflow packet handling"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "goflow", "version": {"version_data": [{"platform": "Go", "version_affected": "<", "version_value": "3.4.4"}]}}]}, "vendor_name": "Cloudflare"}]}}, "credit": [{"lang": "eng", "value": "Justin Timperio, Chase Hiltz"}], "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "sflow decode package does not employ sufficient packet sanitisation which can lead to a denial of service attack. Attackers can craft malformed packets causing the process to consume large amounts of memory resulting in a denial of service."}]}, "generator": {"engine": "Vulnogram 0.0.9"}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-20 Improper Input Validation"}]}, {"description": [{"lang": "eng", "value": "CWE-400 Uncontrolled Resource Consumption"}]}]}, "references": {"reference_data": [{"name": "https://github.com/cloudflare/goflow/security/advisories/GHSA-9rpw-2h95-666c", "refsource": "MISC", "url": "https://github.com/cloudflare/goflow/security/advisories/GHSA-9rpw-2h95-666c"}]}, "solution": [{"lang": "en", "value": "Upgrade goflow at least to version 3.4.4"}], "source": {"discovery": "EXTERNAL"}, "work_around": [{"lang": "en", "value": "Make sure that the goflow collector is not publicly reachable."}]}}}, "cveMetadata": {"assignerOrgId": "a22f1246-ba21-4bb4-a601-ad51614c1513", "assignerShortName": "cloudflare", "cveId": "CVE-2022-2529", "datePublished": "2022-09-30T10:45:11", "dateReserved": "2022-07-25T00:00:00", "dateUpdated": "2022-09-30T10:45:11", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:cloudflare:goflow:*:*:*:*:*:*:*:*", "matchCriteriaId": "DA4C3B2C-FA7D-4659-97FF-880D574C12B4", "versionEndExcluding": "3.4.4", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "sflow decode package does not employ sufficient packet sanitisation which can lead to a denial of service attack. Attackers can craft malformed packets causing the process to consume large amounts of memory resulting in a denial of service."}, {"lang": "es", "value": "El paquete de decodificaci\u00f3n sflow no emplea suficiente sanitizaci\u00f3n de paquetes, lo que puede llevar a un ataque de denegaci\u00f3n de servicio. Los atacantes pueden elaborar paquetes malformados haciendo que el proceso consuma grandes cantidades de memoria, lo que provoca una denegaci\u00f3n de servicio"}], "id": "CVE-2022-2529", "lastModified": "2022-10-04T16:25:52.267", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "cna@cloudflare.com", "type": "Secondary"}]}, "published": "2022-09-30T11:15:09.353", "references": [{"source": "cna@cloudflare.com", "tags": ["Third Party Advisory"], "url": "https://github.com/cloudflare/goflow/security/advisories/GHSA-9rpw-2h95-666c"}], "sourceIdentifier": "cna@cloudflare.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-400"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-20"}, {"lang": "en", "value": "CWE-400"}], "source": "cna@cloudflare.com", "type": "Secondary"}]}