Alpine: multiple go packages: security update to 1.19.6-r0

high Tenable Self-Hosted Container Security Plugin ID 404772

Description

There are packages installed that are affected by multiple vulnerabilities referenced in the following CVEs:

- A maliciously crafted HTTP/2 stream could cause excessive CPU consumption in the HPACK decoder, sufficient
to cause a denial of service from a small number of small requests. (CVE-2022-41723)

- Large handshake records may cause panics in crypto/tls. Both clients and servers may send large TLS
handshake records which cause servers and clients, respectively, to panic when attempting to construct
responses. This affects all TLS 1.3 clients, TLS 1.2 clients which explicitly enable session resumption
(by setting Config.ClientSessionCache to a non-nil value), and TLS 1.3 servers which request client
certificates (by setting Config.ClientAuth >= RequestClientCert). (CVE-2022-41724)

- A denial of service is possible from excessive resource consumption in net/http and mime/multipart.
Multipart form parsing with mime/multipart.Reader.ReadForm can consume largely unlimited amounts of memory
and disk files. This also affects form parsing in the net/http package with the Request methods FormFile,
FormValue, ParseMultipartForm, and PostFormValue. ReadForm takes a maxMemory parameter, and is documented
as storing "up to maxMemory bytes +10MB (reserved for non-file parts) in memory". File parts which cannot
be stored in memory are stored on disk in temporary files. The unconfigurable 10MB reserved for non-file
parts is excessively large and can potentially open a denial of service vector on its own. However,
ReadForm did not properly account for all memory consumed by a parsed form, such as map entry overhead,
part names, and MIME headers, permitting a maliciously crafted form to consume well over 10MB. In
addition, ReadForm contained no limit on the number of disk files created, permitting a relatively small
request body to create a large number of disk temporary files. With fix, ReadForm now properly accounts
for various forms of memory overhead, and should now stay within its documented limit of 10MB + maxMemory
bytes of memory consumption. Users should still be aware that this limit is high and may still be
hazardous. In addition, ReadForm now creates at most one on-disk temporary file, combining multiple form
parts into a single temporary file. The mime/multipart.File interface type's documentation states, "If
stored on disk, the File's underlying concrete type will be an *os.File.". This is no longer the case when
a form contains more than one file part, due to this coalescing of parts into a single file. The previous
behavior of using distinct files for each form part may be reenabled with the environment variable
GODEBUG=multipartfiles=distinct. Users should be aware that multipart.ReadForm and the http.Request
methods that call it do not limit the amount of disk consumed by temporary files. Callers can limit the
size of form data with http.MaxBytesReader. (CVE-2022-41725)

See Also

https://security.alpinelinux.org/vuln/CVE-2022-41723

https://security.alpinelinux.org/vuln/CVE-2022-41724

https://security.alpinelinux.org/vuln/CVE-2022-41725

Plugin Details

Severity: High

ID: 404772

Version: Revision 1.35

Type: Local

Published: 10/31/2023

Updated: 7/2/2026

Supported Sensors: Agentless Assessment, Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Low

Score: 3

Percentile: 23.67

CVSS v2

Risk Factor: High

Base Score: 7.8

Temporal Score: 5.8

Vector: CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C

CVSS Score Source: CVE-2022-41725

CVSS v3

Risk Factor: High

Base Score: 7.5

Temporal Score: 6.5

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

Exploit Ease: No known exploits are available

Vulnerability Publication Date: 2/15/2023

Reference Information

CVE: CVE-2022-41723, CVE-2022-41724, CVE-2022-41725

IAVB: 2023-B-0012-S