Bug 1208854 - VUL-0: CVE-2022-41727: amazon-ssm-agent,terraform-provider-aws,terraform-provider-azurerm,terraform-provider-helm,terraform-provider-null: golang.org/x/image: Uncontrolled Resource Consumption
Summary: VUL-0: CVE-2022-41727: amazon-ssm-agent,terraform-provider-aws,terraform-prov...
Status: RESOLVED INVALID
Alias: None
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P5 - None : Major
Target Milestone: ---
Assignee: SUSE Public Cloud Maintainer
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/358717/
Whiteboard:
Keywords:
Depends on:
Blocks: CVE-2022-41727
  Show dependency treegraph
 
Reported: 2023-03-02 14:57 UTC by Cathy Hu
Modified: 2023-03-02 16:14 UTC (History)
2 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Comment 1 Cathy Hu 2023-03-02 15:03:03 UTC 
Our scanners show golang.org/x/image with version < 0.5.0 embedded in:

- SUSE:SLE-12:Update/amazon-ssm-agent                                       
- SUSE:SLE-15:Update/amazon-ssm-agent                                       
- openSUSE:Factory/amazon-ssm-agent

- SUSE:SLE-15-SP1:Update/terraform-provider-aws                             
- SUSE:SLE-15-SP1:Update:Products:CASP40:Update/terraform-provider-aws      
- openSUSE:Factory/terraform-provider-aws

- SUSE:SLE-15-SP1:Update/terraform-provider-azurerm                         
- SUSE:SLE-15-SP2:Update/terraform-provider-azurerm                         
- openSUSE:Factory/terraform-provider-azurerm

- SUSE:SLE-15-SP1:Update/terraform-provider-helm                            
- SUSE:SLE-15-SP2:Update/terraform-provider-helm                            
- openSUSE:Factory/terraform-provider-helm

- SUSE:SLE-15-SP2:Update/terraform-provider-null                            
- openSUSE:Factory/terraform-provider-null

- SUSE:SLE-15-SP1:Update:Products:CASP40:Update/terraform-provider-vsphere  
- openSUSE:Backports:SLE-15-SP4/terraform-provider-vsphere                  
- openSUSE:Factory/terraform-provider-vsphere
Comment 2 Cathy Hu 2023-03-02 15:13:10 UTC 
terraform-provider-vsphere would be for coldpool, please ignore that one
Comment 3 John Paul Adrian Glaubitz 2023-03-02 15:19:55 UTC 
(In reply to Hu from comment #1)
> Our scanners show golang.org/x/image with version < 0.5.0 embedded in:
> 
> - SUSE:SLE-12:Update/amazon-ssm-agent                                       
> - SUSE:SLE-15:Update/amazon-ssm-agent                                       
> - openSUSE:Factory/amazon-ssm-agent

Hmm, I just checked these and I don't see any x/image source code there.
Comment 4 Cathy Hu 2023-03-02 15:56:28 UTC 
It seems to be an indirect dependency, it is listed in the go.sum. 

I will talk to the scanner dev and check the rest manually again, sorry for the noise
Comment 5 Cathy Hu 2023-03-02 16:14:52 UTC 
Okay i checked, they were all false positives, sorry for the noise. Closing