CVE-2022-2529 - OpenCVE

sflow decode package does not employ sufficient packet sanitisation which can lead to a denial of service attack. Attackers can craft malformed packets causing the process to consume large amounts of memory resulting in a denial of service.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Cloudflare	Goflow

Configuration 1 [-]

cpe:2.3:a:cloudflare:goflow:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://github.com/cloudflare/goflow/security/advisories/GHSA-9rpw-2h95-666c

History

No history.

MITRE

Status: PUBLISHED

Assigner: cloudflare

Published: 2022-09-30T10:45:11

Updated: 2024-08-03T00:39:08.043Z

Reserved: 2022-07-25T00:00:00

Link: CVE-2022-2529

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2022-09-30T11:15:09.353

Modified: 2022-10-04T16:25:52.267

Link: CVE-2022-2529

Redhat

No data.

{"containers": {"cna": {"affected": [{"platforms": ["Go"], "product": "goflow", "vendor": "Cloudflare", "versions": [{"lessThan": "3.4.4", "status": "affected", "version": "unspecified", "versionType": "custom"}]}], "credits": [{"lang": "en", "value": "Justin Timperio, Chase Hiltz"}], "descriptions": [{"lang": "en", "value": "sflow decode package does not employ sufficient packet sanitisation which can lead to a denial of service attack. Attackers can craft malformed packets causing the process to consume large amounts of memory resulting in a denial of service."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-20", "description": "CWE-20 Improper Input Validation", "lang": "en", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-400", "description": "CWE-400 Uncontrolled Resource Consumption", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2022-09-30T10:45:11", "orgId": "a22f1246-ba21-4bb4-a601-ad51614c1513", "shortName": "cloudflare"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://github.com/cloudflare/goflow/security/advisories/GHSA-9rpw-2h95-666c"}], "solutions": [{"lang": "en", "value": "Upgrade goflow at least to version 3.4.4"}], "source": {"discovery": "EXTERNAL"}, "title": "Multiple DoS Attack Vectors in sflow packet handling", "workarounds": [{"lang": "en", "value": "Make sure that the goflow collector is not publicly reachable."}], "x_generator": {"engine": "Vulnogram 0.0.9"}, "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cna@cloudflare.com", "ID": "CVE-2022-2529", "STATE": "PUBLIC", "TITLE": "Multiple DoS Attack Vectors in sflow packet handling"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "goflow", "version": {"version_data": [{"platform": "Go", "version_affected": "<", "version_value": "3.4.4"}]}}]}, "vendor_name": "Cloudflare"}]}}, "credit": [{"lang": "eng", "value": "Justin Timperio, Chase Hiltz"}], "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "sflow decode package does not employ sufficient packet sanitisation which can lead to a denial of service attack. Attackers can craft malformed packets causing the process to consume large amounts of memory resulting in a denial of service."}]}, "generator": {"engine": "Vulnogram 0.0.9"}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-20 Improper Input Validation"}]}, {"description": [{"lang": "eng", "value": "CWE-400 Uncontrolled Resource Consumption"}]}]}, "references": {"reference_data": [{"name": "https://github.com/cloudflare/goflow/security/advisories/GHSA-9rpw-2h95-666c", "refsource": "MISC", "url": "https://github.com/cloudflare/goflow/security/advisories/GHSA-9rpw-2h95-666c"}]}, "solution": [{"lang": "en", "value": "Upgrade goflow at least to version 3.4.4"}], "source": {"discovery": "EXTERNAL"}, "work_around": [{"lang": "en", "value": "Make sure that the goflow collector is not publicly reachable."}]}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T00:39:08.043Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/cloudflare/goflow/security/advisories/GHSA-9rpw-2h95-666c"}]}]}, "cveMetadata": {"assignerOrgId": "a22f1246-ba21-4bb4-a601-ad51614c1513", "assignerShortName": "cloudflare", "cveId": "CVE-2022-2529", "datePublished": "2022-09-30T10:45:11", "dateReserved": "2022-07-25T00:00:00", "dateUpdated": "2024-08-03T00:39:08.043Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:cloudflare:goflow:*:*:*:*:*:*:*:*", "matchCriteriaId": "DA4C3B2C-FA7D-4659-97FF-880D574C12B4", "versionEndExcluding": "3.4.4", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "sflow decode package does not employ sufficient packet sanitisation which can lead to a denial of service attack. Attackers can craft malformed packets causing the process to consume large amounts of memory resulting in a denial of service."}, {"lang": "es", "value": "El paquete de decodificaci\u00f3n sflow no emplea suficiente sanitizaci\u00f3n de paquetes, lo que puede llevar a un ataque de denegaci\u00f3n de servicio. Los atacantes pueden elaborar paquetes malformados haciendo que el proceso consuma grandes cantidades de memoria, lo que provoca una denegaci\u00f3n de servicio"}], "id": "CVE-2022-2529", "lastModified": "2022-10-04T16:25:52.267", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "cna@cloudflare.com", "type": "Secondary"}]}, "published": "2022-09-30T11:15:09.353", "references": [{"source": "cna@cloudflare.com", "tags": ["Third Party Advisory"], "url": "https://github.com/cloudflare/goflow/security/advisories/GHSA-9rpw-2h95-666c"}], "sourceIdentifier": "cna@cloudflare.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-400"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-20"}, {"lang": "en", "value": "CWE-400"}], "source": "cna@cloudflare.com", "type": "Secondary"}]}