CVE-2022-23772 – CVE-2022-23772 is an integer overflow vulnerabi... (How to Fix)

Q: What is the severity of CVE-2022-23772?

CVE-2022-23772 has a CVSS score of 7.5 (HIGH). CVE-2022-23772 is an integer overflow vulnerability in Go's math/big.Rat.SetString function that allows attackers to trigger uncontrolled memory consumption (denial of service) by providing specially crafted input. This affects Go applications using the math/big package for rational number parsing. Organizations running Go services before patched versions are vulnerable.

📋 TL;DR

CVE-2022-23772 is an integer overflow vulnerability in Go's math/big.Rat.SetString function that allows attackers to trigger uncontrolled memory consumption (denial of service) by providing specially crafted input. This affects Go applications using the math/big package for rational number parsing. Organizations running Go services before patched versions are vulnerable.

💻 Affected Systems

Products:

Go programming language
Applications built with Go using math/big package

Versions: Go 1.0 to 1.16.13, Go 1.17.0 to 1.17.6

Operating Systems: All platforms running affected Go versions

Default Config Vulnerable: ⚠️ Yes

Notes: Only applications using math/big.Rat.SetString with untrusted input are vulnerable. Many Go applications may not use this specific function.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete service unavailability due to memory exhaustion, potentially affecting multiple services on the same host through resource starvation.

🟠

Likely Case

Service degradation or crashes in applications that parse untrusted rational number strings via math/big.Rat.SetString.

🟢

If Mitigated

Minimal impact if input validation prevents malicious strings from reaching vulnerable functions.

🌐 Internet-Facing: MEDIUM - Exploitable if applications accept untrusted input for rational number parsing, but requires specific functionality usage.

🏢 Internal Only: LOW - Typically requires attacker access to internal systems or specific API endpoints.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Proof-of-concept code is publicly available. Exploitation requires sending specially crafted rational number strings to vulnerable applications.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Go 1.16.14, Go 1.17.7, or later

Vendor Advisory: https://groups.google.com/g/golang-announce/c/SUsQn0aSgPQ

Restart Required: Yes

Instructions:

1. Update Go installation to 1.16.14+ or 1.17.7+ using official distribution channels. 2. Recompile all Go applications with the updated Go compiler. 3. Restart all Go-based services.

🔧 Temporary Workarounds

Input validation for rational numbers

all

Validate and sanitize all input before passing to math/big.Rat.SetString

Memory limits for Go processes

linux

Set memory limits using containerization or OS controls to prevent complete system exhaustion

docker run --memory=512m your-go-app
ulimit -v 524288

🧯 If You Can't Patch

Implement strict input validation to reject malformed rational number strings
Deploy memory monitoring and alerting for Go processes to detect exploitation attempts

🔍 How to Verify

Check if Vulnerable:

Check Go version with 'go version'. If output shows 1.16.x where x < 14, or 1.17.x where x < 7, system is vulnerable.

Check Version:

go version

Verify Fix Applied:

After updating, run 'go version' to confirm version is 1.16.14+ or 1.17.7+. Test applications with known safe rational number inputs.

📡 Detection & Monitoring

Log Indicators:

Unusual memory consumption spikes in Go processes
Process crashes with out-of-memory errors
Repeated failed parsing attempts in application logs

Network Indicators:

Unusually large payloads sent to endpoints accepting rational number input
Patterns of repeated requests with varying rational number formats

SIEM Query:

process.name:"go" AND (memory.usage > 90% OR event.action:"crash")

📊 Metadata

CVE ID: CVE-2022-23772

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-190

Published: February 11, 2022

Last Updated: November 21, 2024

🔗 References

https://groups.google.com/g/golang-announce/c/SUsQn0aSgPQ Release Notes,Vendor Advisory
https://lists.debian.org/debian-lts-announce/2022/04/msg00017.html Mailing List,Third Party Advisory
https://lists.debian.org/debian-lts-announce/2022/04/msg00018.html Mailing List,Third Party Advisory
https://security.gentoo.org/glsa/202208-02 Third Party Advisory
https://security.netapp.com/advisory/ntap-20220225-0006/ Third Party Advisory
https://www.oracle.com/security-alerts/cpujul2022.html Third Party Advisory
https://groups.google.com/g/golang-announce/c/SUsQn0aSgPQ Release Notes,Vendor Advisory
https://lists.debian.org/debian-lts-announce/2022/04/msg00017.html Mailing List,Third Party Advisory
https://lists.debian.org/debian-lts-announce/2022/04/msg00018.html Mailing List,Third Party Advisory
https://security.gentoo.org/glsa/202208-02 Third Party Advisory
https://security.netapp.com/advisory/ntap-20220225-0006/ Third Party Advisory
https://www.oracle.com/security-alerts/cpujul2022.html Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-23772, you might also want to check these: