Ava-691: Golang DoS vulnerability in HTTP/2 connection closing

Release Date

16th November 2022.

Overview

he minor releases 1.19.1 and 1.18.6 of Golang include a fix for a security bug that potentially affects Ava Aware, and could result in a denial of service. The bug lies in the handling of closing HTTP/2 connections that could hang forever if waiting for a clean shutdown preempted by a subsequent fatal error.

Affected Products

• Ava Aware:
  • All Stable upgrade channel versions before 5.3.4.
  • All Beta upgrade channel versions before 5.3.0.

Unaffected Products

• Ava Aware:
  • All Stable upgrade channel versions after and including 5.3.4.
  • All Beta upgrade channel versions after and including 5.3.0.

Resolution

This issue has been fixed in Ava Aware Beta upgrade channel version 5.3.4 and Stable upgrade channel version 5.3.0. ​ It is recommended that all installations running an affected version are upgraded to the latest release as soon as possible. Releases are available to download.

Vulnerability Information

• CVE: CVE-2022-27664
• CVSSv3 score: 3.7 (Low)
• CVSSv3 vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L

Mitigations

There are no known mitigations for this issue.

Work arounds

There are no known work arounds for this issue.

Acknowledgements

Issue reported by The Go Team.

Disclosure Timeline

• 07/09/2022 Issue found (by The Go Team)
• 06/09/2022 Root cause established
• 07/09/2022 Fix identified
• 15/09/2022 Patched Ava Aware (Beta upgrade channel) released
• 06/10/2022 Patched Ava Aware (Stable upgrade channel) released
• 16/11/2022 Vulnerability publicly disclosed