A Time-of-check Time-of-use (TOCTOU) flaw was found in podman. This issue may allow a malicious user to replace a normal file in a volume with a symlink while exporting the volume, allowing for access to arbitrary files on the host file system.

The remote host is affected by the vulnerability described in GLSA-202407-12 (podman: Multiple Vulnerabilities)

    Please review the referenced CVE identifiers for details.

Tenable has extracted the preceding description block directly from the Gentoo Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

This plugin has been deprecated as it does not adhere to established standards for this style of check.

The remote Redhat Enterprise Linux 8 / 9 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2023:1325 advisory.

    Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution     designed for on-premise or private cloud deployments.

    This advisory contains the RPM packages for Red Hat OpenShift Container Platform 4.13.0. See the following     advisory for the container images for this release:

    https://access.redhat.com/errata/RHSA-2023:1326

    Security Fix(es):

    * python-werkzeug: high resource usage when parsing multipart form data with many fields (CVE-2023-25577)

    * golang: net/http: excessive memory growth in a Go server accepting HTTP/2 requests (CVE-2022-41717)

    * net/http, golang.org/x/net/http2: avoid quadratic complexity in HPACK decoding (CVE-2022-41723)

    * golang: crypto/tls: large handshake records may cause panics (CVE-2022-41724)

    * golang: net/http, mime/multipart: denial of service from excessive resource consumption (CVE-2022-41725)

    * haproxy: segfault DoS (CVE-2023-0056)

    * openshift/apiserver-library-go: Bypass of SCC seccomp profile restrictions (CVE-2023-0229)

    * podman: symlink exchange attack in podman export volume (CVE-2023-0778)

    * haproxy: request smuggling attack in HTTP/1 header parsing (CVE-2023-25725)

    * buildah: possible information disclosure and modification (CVE-2022-2990)

    * OpenShift: Missing HTTP Strict Transport Security (CVE-2022-3259)

    For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and     other related information, refer to the CVE page(s) listed in the References section.

    All OpenShift Container Platform 4.13 users are advised to upgrade to these updated packages and images     when they are available in the appropriate release channel. To check for available updates, use the     OpenShift CLI (oc) or web console. Instructions for upgrading a cluster are available at     https://docs.openshift.com/container-platform/4.13/updating/updating-cluster-cli.html

Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Red Hat Enterprise Linux CoreOS 4 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2023:1325 advisory.

  - The golang.org/x/crypto/ssh package before 0.0.0-20220314234659-1baeb1ce4c0b for Go allows an attacker to     crash a server in certain circumstances involving AddHostKey. (CVE-2022-27191)

  - An incorrect handling of the supplementary groups in the Buildah container engine might lead to the     sensitive information disclosure or possible data modification if an attacker has direct access to the     affected container where supplementary groups are used to set access permissions and is able to execute a     binary code in that container. (CVE-2022-2990)

  - Openshift 4.9 does not use HTTP Strict Transport Security (HSTS) which may allow man-in-the-middle (MITM)     attacks. (CVE-2022-3259)

  - An attacker can cause excessive memory growth in a Go server accepting HTTP/2 requests. HTTP/2 server     connections contain a cache of HTTP header keys sent by the client. While the total number of entries in     this cache is capped, an attacker sending very large keys can cause the server to allocate approximately     64 MiB per open connection. (CVE-2022-41717)

  - A path traversal vulnerability exists in filepath.Clean on Windows. On Windows, the filepath.Clean     function could transform an invalid path such as a/../c:/b into the valid path c:\b. This     transformation of a relative (if invalid) path into an absolute path could enable a directory traversal     attack. After fix, the filepath.Clean function transforms this path into the relative (but still invalid)     path .\c:\b. (CVE-2022-41722)

  - A maliciously crafted HTTP/2 stream could cause excessive CPU consumption in the HPACK decoder, sufficient     to cause a denial of service from a small number of small requests. (CVE-2022-41723)

  - Large handshake records may cause panics in crypto/tls. Both clients and servers may send large TLS     handshake records which cause servers and clients, respectively, to panic when attempting to construct     responses. This affects all TLS 1.3 clients, TLS 1.2 clients which explicitly enable session resumption     (by setting Config.ClientSessionCache to a non-nil value), and TLS 1.3 servers which request client     certificates (by setting Config.ClientAuth >= RequestClientCert). (CVE-2022-41724)

  - A denial of service is possible from excessive resource consumption in net/http and mime/multipart.
    Multipart form parsing with mime/multipart.Reader.ReadForm can consume largely unlimited amounts of memory     and disk files. This also affects form parsing in the net/http package with the Request methods FormFile,     FormValue, ParseMultipartForm, and PostFormValue. ReadForm takes a maxMemory parameter, and is documented     as storing up to maxMemory bytes +10MB (reserved for non-file parts) in memory. File parts which cannot     be stored in memory are stored on disk in temporary files. The unconfigurable 10MB reserved for non-file     parts is excessively large and can potentially open a denial of service vector on its own. However,     ReadForm did not properly account for all memory consumed by a parsed form, such as map entry overhead,     part names, and MIME headers, permitting a maliciously crafted form to consume well over 10MB. In     addition, ReadForm contained no limit on the number of disk files created, permitting a relatively small     request body to create a large number of disk temporary files. With fix, ReadForm now properly accounts     for various forms of memory overhead, and should now stay within its documented limit of 10MB + maxMemory     bytes of memory consumption. Users should still be aware that this limit is high and may still be     hazardous. In addition, ReadForm now creates at most one on-disk temporary file, combining multiple form     parts into a single temporary file. The mime/multipart.File interface type's documentation states, If     stored on disk, the File's underlying concrete type will be an *os.File.. This is no longer the case when     a form contains more than one file part, due to this coalescing of parts into a single file. The previous     behavior of using distinct files for each form part may be reenabled with the environment variable     GODEBUG=multipartfiles=distinct. Users should be aware that multipart.ReadForm and the http.Request     methods that call it do not limit the amount of disk consumed by temporary files. Callers can limit the     size of form data with http.MaxBytesReader. (CVE-2022-41725)

  - An uncontrolled resource consumption vulnerability was discovered in HAProxy which could crash the     service. This issue could allow an authenticated remote attacker to run a specially crafted malicious     server in an OpenShift cluster. The biggest impact is to availability. (CVE-2023-0056)

  - A flaw was found in github.com/openshift/apiserver-library-go, used in OpenShift 4.12 and 4.11, that     contains an issue that can allow low-privileged users to set the seccomp profile for pods they control to     unconfined. By default, the seccomp profile used in the restricted-v2 Security Context Constraint (SCC)     is runtime/default, allowing users to disable seccomp for pods they can create and modify.
    (CVE-2023-0229)

  - A Time-of-check Time-of-use (TOCTOU) flaw was found in podman. This issue may allow a malicious user to     replace a normal file in a volume with a symlink while exporting the volume, allowing for access to     arbitrary files on the host file system. (CVE-2023-0778)

  - Werkzeug is a comprehensive WSGI web application library. Prior to version 2.2.3, Werkzeug's multipart     form data parser will parse an unlimited number of parts, including file parts. Parts can be a small     amount of bytes, but each requires CPU time to parse and may use more memory as Python data. If a request     can be made to an endpoint that accesses `request.data`, `request.form`, `request.files`, or     `request.get_data(parse_form_data=False)`, it can cause unexpectedly high resource usage. This allows an     attacker to cause a denial of service by sending crafted multipart data to an endpoint that will parse it.
    The amount of CPU time required can block worker processes from handling legitimate requests. The amount     of RAM required can trigger an out of memory kill of the process. Unlimited file parts can use up memory     and file handles. If many concurrent requests are sent continuously, this can exhaust or kill all     available workers. Version 2.2.3 contains a patch for this issue. (CVE-2023-25577)

  - HAProxy before 2.7.3 may allow a bypass of access control because HTTP/1 headers are inadvertently lost in     some situations, aka request smuggling. The HTTP header parsers in HAProxy may accept empty header field     names, which could be used to truncate the list of HTTP headers and thus make some headers disappear after     being parsed and processed for HTTP/1.0 and HTTP/1.1. For HTTP/2 and HTTP/3, the impact is limited because     the headers disappear before being parsed and processed, as if they had not been sent by the client. The     fixed versions are 2.7.3, 2.6.9, 2.5.12, 2.4.22, 2.2.29, and 2.0.31. (CVE-2023-25725)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Oracle Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the ELSA-2023-2758 advisory.

  - Uncontrolled recursion in Unmarshal in encoding/xml before Go 1.17.12 and Go 1.18.4 allows an attacker to     cause a panic due to stack exhaustion via unmarshalling an XML document into a Go struct which has a     nested field that uses the 'any' field tag. (CVE-2022-30633)

  - In net/http in Go before 1.18.6 and 1.19.x before 1.19.1, attackers can cause a denial of service because     an HTTP/2 connection can hang during closing if shutdown were preempted by a fatal error. (CVE-2022-27664)

  - Uncontrolled recursion in Glob in path/filepath before Go 1.17.12 and Go 1.18.4 allows an attacker to     cause a panic due to stack exhaustion via a path containing a large number of path separators.
    (CVE-2022-30632)

  - Uncontrolled recursion in Glob in io/fs before Go 1.17.12 and Go 1.18.4 allows an attacker to cause a     panic due to stack exhaustion via a path which contains a large number of path separators.
    (CVE-2022-30630)

  - Uncontrolled recursion in Decoder.Decode in encoding/gob before Go 1.17.12 and Go 1.18.4 allows an     attacker to cause a panic due to stack exhaustion via a message which contains deeply nested structures.
    (CVE-2022-30635)

  - Uncontrolled recursion in the Parse functions in go/parser before Go 1.17.12 and Go 1.18.4 allow an     attacker to cause a panic due to stack exhaustion via deeply nested types or declarations. (CVE-2022-1962)

  - Non-random values for ticket_age_add in session tickets in crypto/tls before Go 1.17.11 and Go 1.18.3     allow an attacker that can observe TLS handshakes to correlate successive connections by comparing ticket     ages during session resumption. (CVE-2022-30629)

  - A Time-of-check Time-of-use (TOCTOU) flaw was found in podman. This issue may allow a malicious user to     replace a normal file in a volume with a symlink while exporting the volume, allowing for access to     arbitrary files on the host file system. (CVE-2023-0778)

  - Acceptance of some invalid Transfer-Encoding headers in the HTTP/1 client in net/http before Go 1.17.12     and Go 1.18.4 allows HTTP request smuggling if combined with an intermediate server that also improperly     fails to reject the header as invalid. (CVE-2022-1705)

  - Improper exposure of client IP addresses in net/http before Go 1.17.12 and Go 1.18.4 can be triggered by     calling httputil.ReverseProxy.ServeHTTP with a Request.Header map containing a nil value for the     X-Forwarded-For header, which causes ReverseProxy to set the client IP as the value of the X-Forwarded-For     header. (CVE-2022-32148)

  - A too-short encoded message can cause a panic in Float.GobDecode and Rat GobDecode in math/big in Go     before 1.17.13 and 1.18.5, potentially allowing a denial of service. (CVE-2022-32189)

  - An attacker can cause excessive memory growth in a Go server accepting HTTP/2 requests. HTTP/2 server     connections contain a cache of HTTP header keys sent by the client. While the total number of entries in     this cache is capped, an attacker sending very large keys can cause the server to allocate approximately     64 MiB per open connection. (CVE-2022-41717)

  - Uncontrolled recursion in Reader.Read in compress/gzip before Go 1.17.12 and Go 1.18.4 allows an attacker     to cause a panic due to stack exhaustion via an archive containing a large number of concatenated 0-length     compressed files. (CVE-2022-30631)

  - Uncontrolled recursion in Decoder.Skip in encoding/xml before Go 1.17.12 and Go 1.18.4 allows an attacker     to cause a panic due to stack exhaustion via a deeply nested XML document. (CVE-2022-28131)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Oracle Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the ELSA-2023-2802 advisory.

  - In net/http in Go before 1.18.6 and 1.19.x before 1.19.1, attackers can cause a denial of service because     an HTTP/2 connection can hang during closing if shutdown were preempted by a fatal error. (CVE-2022-27664)

  - Acceptance of some invalid Transfer-Encoding headers in the HTTP/1 client in net/http before Go 1.17.12     and Go 1.18.4 allows HTTP request smuggling if combined with an intermediate server that also improperly     fails to reject the header as invalid. (CVE-2022-1705)

  - Improper exposure of client IP addresses in net/http before Go 1.17.12 and Go 1.18.4 can be triggered by     calling httputil.ReverseProxy.ServeHTTP with a Request.Header map containing a nil value for the     X-Forwarded-For header, which causes ReverseProxy to set the client IP as the value of the X-Forwarded-For     header. (CVE-2022-32148)

  - Uncontrolled recursion in Decoder.Decode in encoding/gob before Go 1.17.12 and Go 1.18.4 allows an     attacker to cause a panic due to stack exhaustion via a message which contains deeply nested structures.
    (CVE-2022-30635)

  - An attacker can cause excessive memory growth in a Go server accepting HTTP/2 requests. HTTP/2 server     connections contain a cache of HTTP header keys sent by the client. While the total number of entries in     this cache is capped, an attacker sending very large keys can cause the server to allocate approximately     64 MiB per open connection. (CVE-2022-41717)

  - Uncontrolled recursion in Glob in io/fs before Go 1.17.12 and Go 1.18.4 allows an attacker to cause a     panic due to stack exhaustion via a path which contains a large number of path separators.
    (CVE-2022-30630)

  - Uncontrolled recursion in Glob in path/filepath before Go 1.17.12 and Go 1.18.4 allows an attacker to     cause a panic due to stack exhaustion via a path containing a large number of path separators.
    (CVE-2022-30632)

  - A too-short encoded message can cause a panic in Float.GobDecode and Rat GobDecode in math/big in Go     before 1.17.13 and 1.18.5, potentially allowing a denial of service. (CVE-2022-32189)

  - A Time-of-check Time-of-use (TOCTOU) flaw was found in podman. This issue may allow a malicious user to     replace a normal file in a volume with a symlink while exporting the volume, allowing for access to     arbitrary files on the host file system. (CVE-2023-0778)

  - Uncontrolled recursion in Unmarshal in encoding/xml before Go 1.17.12 and Go 1.18.4 allows an attacker to     cause a panic due to stack exhaustion via unmarshalling an XML document into a Go struct which has a     nested field that uses the 'any' field tag. (CVE-2022-30633)

  - Uncontrolled recursion in the Parse functions in go/parser before Go 1.17.12 and Go 1.18.4 allow an     attacker to cause a panic due to stack exhaustion via deeply nested types or declarations. (CVE-2022-1962)

  - An incorrect handling of the supplementary groups in the Podman container engine might lead to the     sensitive information disclosure or possible data modification if an attacker has direct access to the     affected container where supplementary groups are used to set access permissions and is able to execute a     binary code in that container. (CVE-2022-2989)

  - Uncontrolled recursion in Decoder.Skip in encoding/xml before Go 1.17.12 and Go 1.18.4 allows an attacker     to cause a panic due to stack exhaustion via a deeply nested XML document. (CVE-2022-28131)

  - Uncontrolled recursion in Reader.Read in compress/gzip before Go 1.17.12 and Go 1.18.4 allows an attacker     to cause a panic due to stack exhaustion via an archive containing a large number of concatenated 0-length     compressed files. (CVE-2022-30631)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote AlmaLinux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the ALSA-2023:2758 advisory.

  - Acceptance of some invalid Transfer-Encoding headers in the HTTP/1 client in net/http before Go 1.17.12     and Go 1.18.4 allows HTTP request smuggling if combined with an intermediate server that also improperly     fails to reject the header as invalid. (CVE-2022-1705)

  - Uncontrolled recursion in the Parse functions in go/parser before Go 1.17.12 and Go 1.18.4 allow an     attacker to cause a panic due to stack exhaustion via deeply nested types or declarations. (CVE-2022-1962)

  - In net/http in Go before 1.18.6 and 1.19.x before 1.19.1, attackers can cause a denial of service because     an HTTP/2 connection can hang during closing if shutdown were preempted by a fatal error. (CVE-2022-27664)

  - Uncontrolled recursion in Decoder.Skip in encoding/xml before Go 1.17.12 and Go 1.18.4 allows an attacker     to cause a panic due to stack exhaustion via a deeply nested XML document. (CVE-2022-28131)

  - Non-random values for ticket_age_add in session tickets in crypto/tls before Go 1.17.11 and Go 1.18.3     allow an attacker that can observe TLS handshakes to correlate successive connections by comparing ticket     ages during session resumption. (CVE-2022-30629)

  - Uncontrolled recursion in Glob in io/fs before Go 1.17.12 and Go 1.18.4 allows an attacker to cause a     panic due to stack exhaustion via a path which contains a large number of path separators.
    (CVE-2022-30630)

  - Uncontrolled recursion in Reader.Read in compress/gzip before Go 1.17.12 and Go 1.18.4 allows an attacker     to cause a panic due to stack exhaustion via an archive containing a large number of concatenated 0-length     compressed files. (CVE-2022-30631)

  - Uncontrolled recursion in Glob in path/filepath before Go 1.17.12 and Go 1.18.4 allows an attacker to     cause a panic due to stack exhaustion via a path containing a large number of path separators.
    (CVE-2022-30632)

  - Uncontrolled recursion in Unmarshal in encoding/xml before Go 1.17.12 and Go 1.18.4 allows an attacker to     cause a panic due to stack exhaustion via unmarshalling an XML document into a Go struct which has a     nested field that uses the 'any' field tag. (CVE-2022-30633)

  - Uncontrolled recursion in Decoder.Decode in encoding/gob before Go 1.17.12 and Go 1.18.4 allows an     attacker to cause a panic due to stack exhaustion via a message which contains deeply nested structures.
    (CVE-2022-30635)

  - Improper exposure of client IP addresses in net/http before Go 1.17.12 and Go 1.18.4 can be triggered by     calling httputil.ReverseProxy.ServeHTTP with a Request.Header map containing a nil value for the     X-Forwarded-For header, which causes ReverseProxy to set the client IP as the value of the X-Forwarded-For     header. (CVE-2022-32148)

  - A too-short encoded message can cause a panic in Float.GobDecode and Rat GobDecode in math/big in Go     before 1.17.13 and 1.18.5, potentially allowing a denial of service. (CVE-2022-32189)

  - An attacker can cause excessive memory growth in a Go server accepting HTTP/2 requests. HTTP/2 server     connections contain a cache of HTTP header keys sent by the client. While the total number of entries in     this cache is capped, an attacker sending very large keys can cause the server to allocate approximately     64 MiB per open connection. (CVE-2022-41717)

  - A Time-of-check Time-of-use (TOCTOU) flaw was found in podman. This issue may allow a malicious user to     replace a normal file in a volume with a symlink while exporting the volume, allowing for access to     arbitrary files on the host file system. (CVE-2023-0778)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote CentOS Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the CESA-2023:2758 advisory.

  - Acceptance of some invalid Transfer-Encoding headers in the HTTP/1 client in net/http before Go 1.17.12     and Go 1.18.4 allows HTTP request smuggling if combined with an intermediate server that also improperly     fails to reject the header as invalid. (CVE-2022-1705)

  - Uncontrolled recursion in the Parse functions in go/parser before Go 1.17.12 and Go 1.18.4 allow an     attacker to cause a panic due to stack exhaustion via deeply nested types or declarations. (CVE-2022-1962)

  - In net/http in Go before 1.18.6 and 1.19.x before 1.19.1, attackers can cause a denial of service because     an HTTP/2 connection can hang during closing if shutdown were preempted by a fatal error. (CVE-2022-27664)

  - Uncontrolled recursion in Decoder.Skip in encoding/xml before Go 1.17.12 and Go 1.18.4 allows an attacker     to cause a panic due to stack exhaustion via a deeply nested XML document. (CVE-2022-28131)

  - Non-random values for ticket_age_add in session tickets in crypto/tls before Go 1.17.11 and Go 1.18.3     allow an attacker that can observe TLS handshakes to correlate successive connections by comparing ticket     ages during session resumption. (CVE-2022-30629)

  - Uncontrolled recursion in Glob in io/fs before Go 1.17.12 and Go 1.18.4 allows an attacker to cause a     panic due to stack exhaustion via a path which contains a large number of path separators.
    (CVE-2022-30630)

  - Uncontrolled recursion in Reader.Read in compress/gzip before Go 1.17.12 and Go 1.18.4 allows an attacker     to cause a panic due to stack exhaustion via an archive containing a large number of concatenated 0-length     compressed files. (CVE-2022-30631)

  - Uncontrolled recursion in Glob in path/filepath before Go 1.17.12 and Go 1.18.4 allows an attacker to     cause a panic due to stack exhaustion via a path containing a large number of path separators.
    (CVE-2022-30632)

  - Uncontrolled recursion in Unmarshal in encoding/xml before Go 1.17.12 and Go 1.18.4 allows an attacker to     cause a panic due to stack exhaustion via unmarshalling an XML document into a Go struct which has a     nested field that uses the 'any' field tag. (CVE-2022-30633)

  - Uncontrolled recursion in Decoder.Decode in encoding/gob before Go 1.17.12 and Go 1.18.4 allows an     attacker to cause a panic due to stack exhaustion via a message which contains deeply nested structures.
    (CVE-2022-30635)

  - Improper exposure of client IP addresses in net/http before Go 1.17.12 and Go 1.18.4 can be triggered by     calling httputil.ReverseProxy.ServeHTTP with a Request.Header map containing a nil value for the     X-Forwarded-For header, which causes ReverseProxy to set the client IP as the value of the X-Forwarded-For     header. (CVE-2022-32148)

  - A too-short encoded message can cause a panic in Float.GobDecode and Rat GobDecode in math/big in Go     before 1.17.13 and 1.18.5, potentially allowing a denial of service. (CVE-2022-32189)

  - An attacker can cause excessive memory growth in a Go server accepting HTTP/2 requests. HTTP/2 server     connections contain a cache of HTTP header keys sent by the client. While the total number of entries in     this cache is capped, an attacker sending very large keys can cause the server to allocate approximately     64 MiB per open connection. (CVE-2022-41717)

  - A Time-of-check Time-of-use (TOCTOU) flaw was found in podman. This issue may allow a malicious user to     replace a normal file in a volume with a symlink while exporting the volume, allowing for access to     arbitrary files on the host file system. (CVE-2023-0778)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2023:2758 advisory.

    The container-tools module contains tools for working with containers, notably podman, buildah, skopeo,     and runc.

    Security Fix(es):

    * golang: net/http: improper sanitization of Transfer-Encoding header (CVE-2022-1705)

    * golang: go/parser: stack exhaustion in all Parse* functions (CVE-2022-1962)

    * golang: net/http: handle server errors after sending GOAWAY (CVE-2022-27664)

    * golang: encoding/xml: stack exhaustion in Decoder.Skip (CVE-2022-28131)

    * golang: io/fs: stack exhaustion in Glob (CVE-2022-30630)

    * golang: compress/gzip: stack exhaustion in Reader.Read (CVE-2022-30631)

    * golang: path/filepath: stack exhaustion in Glob (CVE-2022-30632)

    * golang: encoding/xml: stack exhaustion in Unmarshal (CVE-2022-30633)

    * golang: encoding/gob: stack exhaustion in Decoder.Decode (CVE-2022-30635)

    * golang: net/http/httputil: NewSingleHostReverseProxy - omit X-Forwarded-For not working (CVE-2022-32148)

    * golang: net/http: excessive memory growth in a Go server accepting HTTP/2 requests (CVE-2022-41717)

    * podman: symlink exchange attack in podman export volume (CVE-2023-0778)

    * golang: crypto/tls: session tickets lack random ticket_age_add (CVE-2022-30629)

    * golang: math/big: decoding big.Float and big.Rat types can panic if the encoded message is too short,     potentially allowing a denial of service (CVE-2022-32189)

    For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and     other related information, refer to the CVE page(s) listed in the References section.

    Additional Changes:

    For detailed information on changes in this release, see the Red Hat Enterprise Linux 8.8 Release Notes     linked from the References section.

Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote AlmaLinux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the ALSA-2023:2802 advisory.

  - Acceptance of some invalid Transfer-Encoding headers in the HTTP/1 client in net/http before Go 1.17.12     and Go 1.18.4 allows HTTP request smuggling if combined with an intermediate server that also improperly     fails to reject the header as invalid. (CVE-2022-1705)

  - Uncontrolled recursion in the Parse functions in go/parser before Go 1.17.12 and Go 1.18.4 allow an     attacker to cause a panic due to stack exhaustion via deeply nested types or declarations. (CVE-2022-1962)

  - In net/http in Go before 1.18.6 and 1.19.x before 1.19.1, attackers can cause a denial of service because     an HTTP/2 connection can hang during closing if shutdown were preempted by a fatal error. (CVE-2022-27664)

  - Uncontrolled recursion in Decoder.Skip in encoding/xml before Go 1.17.12 and Go 1.18.4 allows an attacker     to cause a panic due to stack exhaustion via a deeply nested XML document. (CVE-2022-28131)

  - An incorrect handling of the supplementary groups in the Podman container engine might lead to the     sensitive information disclosure or possible data modification if an attacker has direct access to the     affected container where supplementary groups are used to set access permissions and is able to execute a     binary code in that container. (CVE-2022-2989)

  - Uncontrolled recursion in Glob in io/fs before Go 1.17.12 and Go 1.18.4 allows an attacker to cause a     panic due to stack exhaustion via a path which contains a large number of path separators.
    (CVE-2022-30630)

  - Uncontrolled recursion in Reader.Read in compress/gzip before Go 1.17.12 and Go 1.18.4 allows an attacker     to cause a panic due to stack exhaustion via an archive containing a large number of concatenated 0-length     compressed files. (CVE-2022-30631)

  - Uncontrolled recursion in Glob in path/filepath before Go 1.17.12 and Go 1.18.4 allows an attacker to     cause a panic due to stack exhaustion via a path containing a large number of path separators.
    (CVE-2022-30632)

  - Uncontrolled recursion in Unmarshal in encoding/xml before Go 1.17.12 and Go 1.18.4 allows an attacker to     cause a panic due to stack exhaustion via unmarshalling an XML document into a Go struct which has a     nested field that uses the 'any' field tag. (CVE-2022-30633)

  - Uncontrolled recursion in Decoder.Decode in encoding/gob before Go 1.17.12 and Go 1.18.4 allows an     attacker to cause a panic due to stack exhaustion via a message which contains deeply nested structures.
    (CVE-2022-30635)

  - Improper exposure of client IP addresses in net/http before Go 1.17.12 and Go 1.18.4 can be triggered by     calling httputil.ReverseProxy.ServeHTTP with a Request.Header map containing a nil value for the     X-Forwarded-For header, which causes ReverseProxy to set the client IP as the value of the X-Forwarded-For     header. (CVE-2022-32148)

  - A too-short encoded message can cause a panic in Float.GobDecode and Rat GobDecode in math/big in Go     before 1.17.13 and 1.18.5, potentially allowing a denial of service. (CVE-2022-32189)

  - An attacker can cause excessive memory growth in a Go server accepting HTTP/2 requests. HTTP/2 server     connections contain a cache of HTTP header keys sent by the client. While the total number of entries in     this cache is capped, an attacker sending very large keys can cause the server to allocate approximately     64 MiB per open connection. (CVE-2022-41717)

  - A Time-of-check Time-of-use (TOCTOU) flaw was found in podman. This issue may allow a malicious user to     replace a normal file in a volume with a symlink while exporting the volume, allowing for access to     arbitrary files on the host file system. (CVE-2023-0778)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote CentOS Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the CESA-2023:2802 advisory.

  - Acceptance of some invalid Transfer-Encoding headers in the HTTP/1 client in net/http before Go 1.17.12     and Go 1.18.4 allows HTTP request smuggling if combined with an intermediate server that also improperly     fails to reject the header as invalid. (CVE-2022-1705)

  - Uncontrolled recursion in the Parse functions in go/parser before Go 1.17.12 and Go 1.18.4 allow an     attacker to cause a panic due to stack exhaustion via deeply nested types or declarations. (CVE-2022-1962)

  - In net/http in Go before 1.18.6 and 1.19.x before 1.19.1, attackers can cause a denial of service because     an HTTP/2 connection can hang during closing if shutdown were preempted by a fatal error. (CVE-2022-27664)

  - Uncontrolled recursion in Decoder.Skip in encoding/xml before Go 1.17.12 and Go 1.18.4 allows an attacker     to cause a panic due to stack exhaustion via a deeply nested XML document. (CVE-2022-28131)

  - An incorrect handling of the supplementary groups in the Podman container engine might lead to the     sensitive information disclosure or possible data modification if an attacker has direct access to the     affected container where supplementary groups are used to set access permissions and is able to execute a     binary code in that container. (CVE-2022-2989)

  - Uncontrolled recursion in Glob in io/fs before Go 1.17.12 and Go 1.18.4 allows an attacker to cause a     panic due to stack exhaustion via a path which contains a large number of path separators.
    (CVE-2022-30630)

  - Uncontrolled recursion in Reader.Read in compress/gzip before Go 1.17.12 and Go 1.18.4 allows an attacker     to cause a panic due to stack exhaustion via an archive containing a large number of concatenated 0-length     compressed files. (CVE-2022-30631)

  - Uncontrolled recursion in Glob in path/filepath before Go 1.17.12 and Go 1.18.4 allows an attacker to     cause a panic due to stack exhaustion via a path containing a large number of path separators.
    (CVE-2022-30632)

  - Uncontrolled recursion in Unmarshal in encoding/xml before Go 1.17.12 and Go 1.18.4 allows an attacker to     cause a panic due to stack exhaustion via unmarshalling an XML document into a Go struct which has a     nested field that uses the 'any' field tag. (CVE-2022-30633)

  - Uncontrolled recursion in Decoder.Decode in encoding/gob before Go 1.17.12 and Go 1.18.4 allows an     attacker to cause a panic due to stack exhaustion via a message which contains deeply nested structures.
    (CVE-2022-30635)

  - Improper exposure of client IP addresses in net/http before Go 1.17.12 and Go 1.18.4 can be triggered by     calling httputil.ReverseProxy.ServeHTTP with a Request.Header map containing a nil value for the     X-Forwarded-For header, which causes ReverseProxy to set the client IP as the value of the X-Forwarded-For     header. (CVE-2022-32148)

  - A too-short encoded message can cause a panic in Float.GobDecode and Rat GobDecode in math/big in Go     before 1.17.13 and 1.18.5, potentially allowing a denial of service. (CVE-2022-32189)

  - An attacker can cause excessive memory growth in a Go server accepting HTTP/2 requests. HTTP/2 server     connections contain a cache of HTTP header keys sent by the client. While the total number of entries in     this cache is capped, an attacker sending very large keys can cause the server to allocate approximately     64 MiB per open connection. (CVE-2022-41717)

  - A Time-of-check Time-of-use (TOCTOU) flaw was found in podman. This issue may allow a malicious user to     replace a normal file in a volume with a symlink while exporting the volume, allowing for access to     arbitrary files on the host file system. (CVE-2023-0778)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2023:2802 advisory.

    The container-tools module contains tools for working with containers, notably podman, buildah, skopeo,     and runc.

    Security Fix(es):

    * golang: net/http: improper sanitization of Transfer-Encoding header (CVE-2022-1705)

    * golang: go/parser: stack exhaustion in all Parse* functions (CVE-2022-1962)

    * golang: net/http: handle server errors after sending GOAWAY (CVE-2022-27664)

    * golang: encoding/xml: stack exhaustion in Decoder.Skip (CVE-2022-28131)

    * golang: io/fs: stack exhaustion in Glob (CVE-2022-30630)

    * golang: compress/gzip: stack exhaustion in Reader.Read (CVE-2022-30631)

    * golang: path/filepath: stack exhaustion in Glob (CVE-2022-30632)

    * golang: encoding/xml: stack exhaustion in Unmarshal (CVE-2022-30633)

    * golang: encoding/gob: stack exhaustion in Decoder.Decode (CVE-2022-30635)

    * golang: net/http/httputil: NewSingleHostReverseProxy - omit X-Forwarded-For not working (CVE-2022-32148)

    * golang: net/http: excessive memory growth in a Go server accepting HTTP/2 requests (CVE-2022-41717)

    * podman: symlink exchange attack in podman export volume (CVE-2023-0778)

    * podman: possible information disclosure and modification (CVE-2022-2989)

    * golang: math/big: decoding big.Float and big.Rat types can panic if the encoded message is too short,     potentially allowing a denial of service (CVE-2022-32189)

    For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and     other related information, refer to the CVE page(s) listed in the References section.

    Additional Changes:

    For detailed information on changes in this release, see the Red Hat Enterprise Linux 8.8 Release Notes     linked from the References section.

Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote SUSE Linux SLES15 / SLES_SAP15 host has packages installed that are affected by a vulnerability as referenced in the SUSE-SU-2023:1812-1 advisory.

  - A Time-of-check Time-of-use (TOCTOU) flaw was found in podman. This issue may allow a malicious user to     replace a normal file in a volume with a symlink while exporting the volume, allowing for access to     arbitrary files on the host file system. (CVE-2023-0778)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Fedora 36 host has a package installed that is affected by multiple vulnerabilities as referenced in the FEDORA-2023-998dbd3b79 advisory.

    Security fix for CVE-2023-0778

    ----

    remove quadlet package specification completely

    ----

    bump to v4.4.0


Tenable has extracted the preceding description block directly from the Fedora security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Fedora 37 host has a package installed that is affected by multiple vulnerabilities as referenced in the FEDORA-2023-698b47d488 advisory.

    Security fix for CVE-2023-0778

Tenable has extracted the preceding description block directly from the Fedora security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

ID	Name	Product	Family	Severity
201915	GLSA-202407-12 : podman: Multiple Vulnerabilities	Nessus	Gentoo Local Security Checks	critical
196729	RHEL 7 : podman (Unpatched Vulnerability) (deprecated)	Nessus	Red Hat Local Security Checks	medium
194235	RHEL 8 / 9 : OpenShift Container Platform 4.13.0 (RHSA-2023:1325)	Nessus	Red Hat Local Security Checks	critical
189426	RHCOS 4 : OpenShift Container Platform 4.13.0 (RHSA-2023:1325)	Nessus	Red Hat Local Security Checks	critical
176306	Oracle Linux 8 : container-tools:ol8 (ELSA-2023-2758)	Nessus	Oracle Linux Local Security Checks	medium
176302	Oracle Linux 8 : container-tools:4.0 (ELSA-2023-2802)	Nessus	Oracle Linux Local Security Checks	high
176167	AlmaLinux 8 : container-tools:rhel8 (ALSA-2023:2758)	Nessus	Alma Linux Local Security Checks	medium
176149	CentOS 8 : container-tools:rhel8 (CESA-2023:2758)	Nessus	CentOS Local Security Checks	medium
176146	RHEL 8 : container-tools:rhel8 (RHSA-2023:2758)	Nessus	Red Hat Local Security Checks	medium
176117	AlmaLinux 8 : container-tools:4.0 (ALSA-2023:2802)	Nessus	Alma Linux Local Security Checks	high
175893	CentOS 8 : container-tools:4.0 (CESA-2023:2802)	Nessus	CentOS Local Security Checks	high
175871	RHEL 8 : container-tools:4.0 (RHSA-2023:2802)	Nessus	Red Hat Local Security Checks	high
174144	SUSE SLES15 Security Update : podman (SUSE-SU-2023:1812-1)	Nessus	SuSE Local Security Checks	medium
171905	Fedora 36 : podman (2023-998dbd3b79)	Nessus	Fedora Local Security Checks	medium
171774	Fedora 37 : podman (2023-698b47d488)	Nessus	Fedora Local Security Checks	medium

Detections

Analytics

CVE-2023-0778

medium

Tenable Plugins

critical

medium

critical

critical

medium

high

medium

medium

medium

high

high

high

medium

medium

medium