Bug 1199760 (CVE-2022-28946) - VUL-0: CVE-2022-28946: cosign,trivy,starboard: an issue in the Open Policy Agent parser can lead to DoS
Summary: VUL-0: CVE-2022-28946: cosign,trivy,starboard: an issue in the Open Policy Ag...
Status: RESOLVED FIXED
Alias: CVE-2022-28946
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P3 - Medium : Minor
Target Milestone: ---
Assignee: Marcus Meissner
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/332408/
Whiteboard: CVSSv3.1:SUSE:CVE-2022-28946:4.9:(AV:...
Keywords:
Depends on:
Blocks:
 
Reported: 2022-05-20 10:09 UTC by Carlos López
Modified: 2024-06-05 13:36 UTC (History)
5 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Carlos López 2022-05-20 10:09:17 UTC 
CVE-2022-28946

An issue in the component ast/parser.go of Open Policy Agent v0.39.0 causes the
application to incorrectly interpret every expression, causing a Denial of
Service (DoS) via triggering out-of-range memory access.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-28946
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-28946
https://github.com/open-policy-agent/opa/commit/e9d3828db670cbe11129885f37f08cbf04935264
Comment 1 Carlos López 2022-05-20 10:10:24 UTC 
I could find the unpatched library embedded in the following packages:

cosign:
- SUSE:SLE-15-SP4:GA
- openSUSE:Factory

trivy:
- openSUSE:Backports:SLE-15-SP3:Update
- openSUSE:Backports:SLE-15-SP4
- openSUSE:Factory

starboard:
- openSUSE:Factory
Comment 2 Marcus Meissner 2022-05-21 13:13:00 UTC 
not yet fixed in cosign 1.8.0 vendoring.
Comment 3 Johannes Kastl 2022-05-21 18:40:14 UTC 
Recreating the vendor.tar.gz for starboard does not yet pull in any updated dependencies, see https://build.opensuse.org/request/show/978449
Comment 4 Dirk Mueller 2022-05-23 07:46:03 UTC 
you need to first include https://github.com/aquasecurity/starboard/commit/25b7b6a751bd57753093a9dfbe2f15d65fd88f3d
Comment 5 OBSbugzilla Bot 2022-05-23 08:40:11 UTC 
This is an autogenerated message for OBS integration:
This bug (1199760) was mentioned in
https://build.opensuse.org/request/show/978633 Factory / trivy
https://build.opensuse.org/request/show/978634 Backports:SLE-15-SP4 / trivy
Comment 6 Swamp Workflow Management 2022-06-21 19:15:04 UTC 
openSUSE-SU-2022:10022-1: An update that fixes two vulnerabilities is now available.

Category: security (moderate)
Bug References: 1199760
CVE References: CVE-2022-23648,CVE-2022-28946
JIRA References: 
Sources used:
openSUSE Backports SLE-15-SP4 (src):    trivy-0.28.0-bp154.2.3.1
Comment 7 OBSbugzilla Bot 2022-07-27 14:40:03 UTC 
This is an autogenerated message for OBS integration:
This bug (1199760) was mentioned in
https://build.opensuse.org/request/show/991390 Backports:SLE-15-SP3 / trivy
Comment 8 Swamp Workflow Management 2022-08-20 13:16:03 UTC 
openSUSE-SU-2022:10094-1: An update that fixes three vulnerabilities is now available.

Category: security (moderate)
Bug References: 1199760
CVE References: CVE-2022-1996,CVE-2022-23648,CVE-2022-28946
JIRA References: 
Sources used:
openSUSE Backports SLE-15-SP3 (src):    trivy-0.30.4-bp153.8.1
Comment 9 Thomas Leroy 2022-09-01 13:44:51 UTC 
SUSE:SLE-15-SP4:Update/cosign is v1.10.1 which is build with a fixed version of opa
Comment 10 Alexander Bergmann 2024-06-05 13:36:27 UTC 
Fixed and released.