CVE-2022-32148
medium
CVSS v3
β
CVSS v4 NEW
β
VIR risk
5.5
Description
RHSA-2023:2802: container-tools:4.0 security and bug fix update (Moderate)
Predictions
Exploit likelihood
20%
Patch ETA
β
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
Mitigation details
Source: Red Hat Errata β Red Hat Inc. Β· View original β Β· Open-Errata-API
Description golang: net/http/httputil: NewSingleHostReverseProxy - omit X-Forwarded-For not working CVSS v3: 6.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N) Errata / fixed releases ProductPackageAdvisoryReleased Application Interconnect 1 for RHEL 8skupper-cli-0:1.0.2-2.el8RHSA-2022:61132022-08-18T00:00:00Z Logging subsystem for Red Hat OpenShiftβ¦
Description
golang: net/http/httputil: NewSingleHostReverseProxy - omit X-Forwarded-For not working
CVSS v3: 6.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N)
Errata / fixed releases
| Product | Package | Advisory | Released |
|---|---|---|---|
| Application Interconnect 1 for RHEL 8 | skupper-cli-0:1.0.2-2.el8 | RHSA-2022:6113 | 2022-08-18T00:00:00Z |
| Logging subsystem for Red Hat OpenShift 5.4 | openshift-logging/logging-loki-rhel8:v2.5.0-42 | RHSA-2022:6183 | 2022-09-06T00:00:00Z |
| Node Maintenance Operator 4.11 for RHEL 8 | workload-availability/node-maintenance-rhel8-operator:v4.11.1-1 | RHSA-2022:6188 | 2022-08-25T00:00:00Z |
| OADP-1.0-RHEL-8 | oadp/oadp-velero-rhel8:1.0.4-6 | RHSA-2022:6430 | 2022-09-13T00:00:00Z |
| OpenShift Custom Metrics Autoscaler 2 | custom-metrics-autoscaler-tech-preview/custom-metrics-autoscaler-rhel8:2.8.2-143 | RHSA-2023:1042 | 2023-03-06T00:00:00Z |
| Openshift Serveless 1.24 | openshift-serverless-1/client-kn-rhel8:1.3.1-4 | RHSA-2022:6040 | 2022-08-10T00:00:00Z |
| Openshift Serveless 1.24 | openshift-serverless-1/eventing-apiserver-receive-adapter-rhel8:1.3.2-3 | RHSA-2022:6040 | 2022-08-10T00:00:00Z |
| Openshift Serveless 1.24 | openshift-serverless-1/eventing-controller-rhel8:1.3.2-3 | RHSA-2022:6040 | 2022-08-10T00:00:00Z |
| Openshift Serveless 1.24 | openshift-serverless-1/eventing-in-memory-channel-controller-rhel8:1.3.2-3 | RHSA-2022:6040 | 2022-08-10T00:00:00Z |
| Openshift Serveless 1.24 | openshift-serverless-1/eventing-in-memory-channel-dispatcher-rhel8:1.3.2-3 | RHSA-2022:6040 | 2022-08-10T00:00:00Z |
| Openshift Serveless 1.24 | openshift-serverless-1/eventing-kafka-broker-controller-rhel8:1.3.2-2 | RHSA-2022:6040 | 2022-08-10T00:00:00Z |
| Openshift Serveless 1.24 | openshift-serverless-1/eventing-kafka-broker-dispatcher-rhel8:1.3.2-2 | RHSA-2022:6040 | 2022-08-10T00:00:00Z |
| Openshift Serveless 1.24 | openshift-serverless-1/eventing-kafka-broker-post-install-rhel8:1.3.2-2 | RHSA-2022:6040 | 2022-08-10T00:00:00Z |
| Openshift Serveless 1.24 | openshift-serverless-1/eventing-kafka-broker-webhook-rhel8:1.3.2-2 | RHSA-2022:6040 | 2022-08-10T00:00:00Z |
| Openshift Serveless 1.24 | openshift-serverless-1/eventing-mtbroker-filter-rhel8:1.3.2-3 | RHSA-2022:6040 | 2022-08-10T00:00:00Z |
| Openshift Serveless 1.24 | openshift-serverless-1/eventing-mtbroker-ingress-rhel8:1.3.2-3 | RHSA-2022:6040 | 2022-08-10T00:00:00Z |
| Openshift Serveless 1.24 | openshift-serverless-1/eventing-mtchannel-broker-rhel8:1.3.2-3 | RHSA-2022:6040 | 2022-08-10T00:00:00Z |
| Openshift Serveless 1.24 | openshift-serverless-1/eventing-mtping-rhel8:1.3.2-3 | RHSA-2022:6040 | 2022-08-10T00:00:00Z |
| Openshift Serveless 1.24 | openshift-serverless-1/eventing-storage-version-migration-rhel8:1.3.2-3 | RHSA-2022:6040 | 2022-08-10T00:00:00Z |
| Openshift Serveless 1.24 | openshift-serverless-1/eventing-sugar-controller-rhel8:1.3.2-3 | RHSA-2022:6040 | 2022-08-10T00:00:00Z |
| Openshift Serveless 1.24 | openshift-serverless-1/eventing-webhook-rhel8:1.3.2-3 | RHSA-2022:6040 | 2022-08-10T00:00:00Z |
| Openshift Serveless 1.24 | openshift-serverless-1/ingress-rhel8-operator:1.24.0-3 | RHSA-2022:6040 | 2022-08-10T00:00:00Z |
| Openshift Serveless 1.24 | openshift-serverless-1/knative-rhel8-operator:1.24.0-3 | RHSA-2022:6040 | 2022-08-10T00:00:00Z |
| Openshift Serveless 1.24 | openshift-serverless-1/kn-cli-artifacts-rhel8:1.3.1-3 | RHSA-2022:6040 | 2022-08-10T00:00:00Z |
| Openshift Serveless 1.24 | openshift-serverless-1/kourier-control-rhel8:1.3.0-2 | RHSA-2022:6040 | 2022-08-10T00:00:00Z |
| Openshift Serveless 1.24 | openshift-serverless-1/net-istio-controller-rhel8:1.3.0-2 | RHSA-2022:6040 | 2022-08-10T00:00:00Z |
| Openshift Serveless 1.24 | openshift-serverless-1/net-istio-webhook-rhel8:1.3.0-2 | RHSA-2022:6040 | 2022-08-10T00:00:00Z |
| Openshift Serveless 1.24 | openshift-serverless-1/serverless-operator-bundle:1.24.0-3 | RHSA-2022:6040 | 2022-08-10T00:00:00Z |
| Openshift Serveless 1.24 | openshift-serverless-1/serverless-rhel8-operator:1.24.0-3 | RHSA-2022:6040 | 2022-08-10T00:00:00Z |
| Openshift Serveless 1.24 | openshift-serverless-1/serving-activator-rhel8:1.3.0-3 | RHSA-2022:6040 | 2022-08-10T00:00:00Z |
| Openshift Serveless 1.24 | openshift-serverless-1/serving-autoscaler-hpa-rhel8:1.3.0-3 | RHSA-2022:6040 | 2022-08-10T00:00:00Z |
| Openshift Serveless 1.24 | openshift-serverless-1/serving-autoscaler-rhel8:1.3.0-3 | RHSA-2022:6040 | 2022-08-10T00:00:00Z |
| Openshift Serveless 1.24 | openshift-serverless-1/serving-controller-rhel8:1.3.0-3 | RHSA-2022:6040 | 2022-08-10T00:00:00Z |
| Openshift Serveless 1.24 | openshift-serverless-1/serving-domain-mapping-rhel8:1.3.0-3 | RHSA-2022:6040 | 2022-08-10T00:00:00Z |
| Openshift Serveless 1.24 | openshift-serverless-1/serving-domain-mapping-webhook-rhel8:1.3.0-3 | RHSA-2022:6040 | 2022-08-10T00:00:00Z |
| Openshift Serveless 1.24 | openshift-serverless-1/serving-queue-rhel8:1.3.0-3 | RHSA-2022:6040 | 2022-08-10T00:00:00Z |
| Openshift Serveless 1.24 | openshift-serverless-1/serving-storage-version-migration-rhel8:1.3.0-3 | RHSA-2022:6040 | 2022-08-10T00:00:00Z |
| Openshift Serveless 1.24 | openshift-serverless-1/serving-webhook-rhel8:1.3.0-3 | RHSA-2022:6040 | 2022-08-10T00:00:00Z |
| Openshift Serveless 1.24 | openshift-serverless-1/svls-must-gather-rhel8:1.24.0-2 | RHSA-2022:6040 | 2022-08-10T00:00:00Z |
| Openshift Serveless 1.24 | openshift-serverless-1-tech-preview/eventing-kafka-broker-controller-rhel8:1.3.2-2 | RHSA-2022:6040 | 2022-08-10T00:00:00Z |
| Openshift Serveless 1.24 | openshift-serverless-1-tech-preview/eventing-kafka-broker-dispatcher-rhel8:1.3.2-2 | RHSA-2022:6040 | 2022-08-10T00:00:00Z |
| Openshift Serveless 1.24 | openshift-serverless-1-tech-preview/eventing-kafka-broker-receiver-rhel8:1.3.2-2 | RHSA-2022:6040 | 2022-08-10T00:00:00Z |
| Openshift Serveless 1.24 | openshift-serverless-1-tech-preview/eventing-kafka-broker-webhook-rhel8:1.3.2-2 | RHSA-2022:6040 | 2022-08-10T00:00:00Z |
| Openshift Serverless 1 on RHEL 8 | openshift-serverless-clients-0:1.3.1-4.el8 | RHSA-2022:6042 | 2022-08-10T00:00:00Z |
| OSSO-1.1-RHEL-8 | openshift-secondary-scheduler-operator/secondary-scheduler-operator-rhel8:v1.1-11 | RHSA-2022:6152 | 2022-09-01T00:00:00Z |
| Red Hat Ceph Storage 6.1 | rhceph/rhceph-6-dashboard-rhel9:6-75 | RHSA-2023:3642 | 2023-06-15T00:00:00Z |
| Red Hat Developer Tools | go-toolset-1.17-golang-0:1.17.12-1.el7_9 | RHSA-2022:5866 | 2022-08-02T00:00:00Z |
| Red Hat Enterprise Linux 8 | go-toolset:rhel8-8060020220720230014.97d7f71f | RHSA-2022:5775 | 2022-08-01T00:00:00Z |
| Red Hat Enterprise Linux 8 | git-lfs-0:2.13.3-3.el8_6 | RHSA-2022:7129 | 2022-10-25T00:00:00Z |
| Red Hat Enterprise Linux 8 | grafana-0:7.5.15-3.el8 | RHSA-2022:7519 | 2022-11-08T00:00:00Z |
| Red Hat Enterprise Linux 8 | container-tools:3.0-8070020220802115906.39077419 | RHSA-2022:7529 | 2022-11-08T00:00:00Z |
| Red Hat Enterprise Linux 8 | grafana-pcp-0:3.2.0-2.el8 | RHSA-2022:7648 | 2022-11-08T00:00:00Z |
| Red Hat Enterprise Linux 8 | container-tools:rhel8-8080020230321153727.0f77c1b7 | RHSA-2023:2758 | 2023-05-16T00:00:00Z |
| Red Hat Enterprise Linux 8 | container-tools:4.0-8080020230217080101.8108cfbc | RHSA-2023:2802 | 2023-05-16T00:00:00Z |
| Red Hat Enterprise Linux 9 | golang-0:1.17.12-1.el9_0 | RHSA-2022:5799 | 2022-08-01T00:00:00Z |
| Red Hat Enterprise Linux 9 | grafana-0:7.5.15-3.el9 | RHSA-2022:8057 | 2022-11-15T00:00:00Z |
| Red Hat Enterprise Linux 9 | grafana-pcp-0:3.2.0-3.el9 | RHSA-2022:8250 | 2022-11-15T00:00:00Z |
| Red Hat Enterprise Linux 9 | git-lfs-0:3.2.0-1.el9 | RHSA-2023:2357 | 2023-05-09T00:00:00Z |
| Red Hat Migration Toolkit for Containers 1.7 | rhmtc/openshift-velero-plugin-rhel8:v1.7.6-5 | RHSA-2022:9047 | 2022-12-15T00:00:00Z |
| Red Hat OpenShift Container Platform 4.11 | cri-o-0:1.24.3-6.rhaos4.11.gitc4567c0.el8 | RHSA-2022:8626 | 2022-11-28T00:00:00Z |
Package state
| Product | Package | State |
|---|---|---|
| Migration Toolkit for Virtualization | migration-toolkit-virtualization/mtv-controller-rhel9 | Affected |
| Node Maintenance Operator | workload-availability/node-maintenance-rhel8-operator | Affected |
| OpenShift Developer Tools and Services | helm | Affected |
| OpenShift Developer Tools and Services | ocp-tools-4/jenkins-rhel8 | Affected |
| OpenShift Developer Tools and Services | odo | Will not fix |
| OpenShift Pipelines | openshift-pipelines-client | Will not fix |
| Red Hat 3scale API Management Platform 2 | 3scale-operator-container | Affected |
| Red Hat Advanced Cluster Management for Kubernetes 2 | rhacm2/work-rhel8 | Affected |
| Red Hat Advanced Cluster Security 3 | advanced-cluster-security/rhacs-main-rhel8 | Affected |
| Red Hat Ansible Automation Platform 2 | openshift-clients | Will not fix |
| Red Hat Ansible Automation Platform 2 | receptor | Affected |
| Red Hat Ceph Storage 3 | golang | Out of support scope |
| Red Hat Ceph Storage 5 | rhceph/rhceph-5-dashboard-rhel8 | Affected |
| Red Hat Enterprise Linux 8 | osbuild-composer | Will not fix |
| Red Hat Enterprise Linux 9 | buildah | Will not fix |
| Red Hat Enterprise Linux 9 | conmon | Not affected |
| Red Hat Enterprise Linux 9 | go-toolset | Affected |
| Red Hat Enterprise Linux 9 | ignition | Will not fix |
| Red Hat Enterprise Linux 9 | osbuild-composer | Will not fix |
| Red Hat Enterprise Linux 9 | podman | Will not fix |
| Red Hat Enterprise Linux 9 | skopeo | Will not fix |
| Red Hat OpenShift Container Platform 4 | buildah | Affected |
| Red Hat OpenShift Container Platform 4 | conmon | Not affected |
| Red Hat OpenShift Container Platform 4 | openshift | Not affected |
| Red Hat OpenShift Container Platform 4 | openshift-clients | Affected |
| Red Hat OpenShift Container Platform 4 | openshift-golang-builder-container | Affected |
| Red Hat OpenShift Container Platform 4 | podman | Not affected |
| Red Hat OpenShift Container Platform 4 | skopeo | Not affected |
| Red Hat Openshift Data Foundation 4 | mcg | Affected |
| Red Hat Openshift Data Foundation 4 | odf4/cephcsi-rhel9 | Affected |
| Red Hat OpenShift distributed tracing 2 | rhosdt/jaeger-agent-rhel8 | Not affected |
| Red Hat OpenShift GitOps | openshift-gitops-1/gitops-rhel8 | Affected |
| Red Hat OpenShift GitOps | openshift-gitops-kam | Affected |
| Red Hat OpenShift on AWS | rosa | Affected |
| Red Hat Quay 3 | quay/clair-rhel8 | Affected |
| Red Hat Software Collections | rh-git227-git-lfs | Will not fix |
| Red Hat Storage 3 | golang | Will not fix |
| Red Hat Storage 3 | go-toolset-7-golang | Will not fix |
| Red Hat Storage 3 | heketi | Out of support scope |
| Red Hat Web Terminal | web-terminal-exec-container | Fix deferred |
Apply commands
Apply RHSA-2022:6113 for Application Interconnect 1 for RHEL 8
yum update -y skupper-cli
# or:
dnf upgrade -y skupper-cliAffected
| Vendor | Product | Version |
|---|---|---|
| redhat | Migration Toolkit for Virtualization | Affected |
| redhat | Node Maintenance Operator | Affected |
| redhat | OpenShift Developer Tools and Services | Affected |
| redhat | OpenShift Developer Tools and Services | Affected |
| redhat | Red Hat 3scale API Management Platform 2 | Affected |
| redhat | Red Hat Advanced Cluster Management for Kubernetes 2 | Affected |
| redhat | Red Hat Advanced Cluster Security 3 | Affected |
| redhat | Red Hat Ansible Automation Platform 2 | Affected |
| redhat | Red Hat Ceph Storage 5 | Affected |
| redhat | Red Hat Enterprise Linux 9 | Not affected |
| redhat | Red Hat Enterprise Linux 9 | Affected |
| redhat | Red Hat OpenShift Container Platform 4 | Affected |
| redhat | Red Hat OpenShift Container Platform 4 | Not affected |
| redhat | Red Hat OpenShift Container Platform 4 | Not affected |
| redhat | Red Hat OpenShift Container Platform 4 | Affected |
| redhat | Red Hat OpenShift Container Platform 4 | Affected |
| redhat | Red Hat OpenShift Container Platform 4 | Not affected |
| redhat | Red Hat OpenShift Container Platform 4 | Not affected |
| redhat | Red Hat Openshift Data Foundation 4 | Affected |
| redhat | Red Hat Openshift Data Foundation 4 | Affected |
| redhat | Red Hat OpenShift distributed tracing 2 | Not affected |
| redhat | Red Hat OpenShift GitOps | Affected |
| redhat | Red Hat OpenShift GitOps | Affected |
| redhat | Red Hat OpenShift on AWS | Affected |
| redhat | Red Hat Quay 3 | Affected |
OS impact
SUSE Affected 1 release
| Version | Status | Fixed in |
|---|---|---|
| β | Affected | β |
Debian Mixed 2 releases
| Version | Status | Fixed in |
|---|---|---|
| bullseye | Affected | β |
| bookworm | Fixed | 1.19~rc1-1 |
AlmaLinux Fixed 1 release
| Version | Status | Fixed in |
|---|---|---|
| 9 | Fixed | golang-src-1.17.12-1.el9_0.noarch.rpm |
Red Hat Fixed 2 releases
| Version | Status | Fixed in |
|---|---|---|
| 9 | Fixed | β |
| 8 | Fixed | β |
Rocky Linux Fixed 2 releases
| Version | Status | Fixed in |
|---|---|---|
| 9 | Fixed | β |
| 8 | Fixed | β |
Package impact
| Ecosystem | Package | Vulnerable | Fixed |
|---|---|---|---|
| Go | stdlib | >=1.18.0-0,<1.18.4 | 1.17.12 |
References
- https://errata.rockylinux.org/RLSA-2023:2802
- https://errata.rockylinux.org/RLSA-2023:2758
- https://access.redhat.com/errata/RHSA-2022:5799
- https://access.redhat.com/errata/RHSA-2022:8057
- https://access.redhat.com/errata/RHSA-2022:8250
- https://access.redhat.com/errata/RHSA-2023:2357
- https://errata.rockylinux.org/RLSA-2022:7648
- https://www.suse.com/security/cve/CVE-2022-32148.html
- https://errata.rockylinux.org/RLSA-2022:7529
- https://errata.rockylinux.org/RLSA-2022:7519
- https://errata.rockylinux.org/RLSA-2022:7129
- https://go.dev/cl/412857
- https://go.googlesource.com/go/+/b2cc0fecc2ccd80e6d5d16542cc684f97b3a9c8a
- https://go.dev/issue/53423
- https://groups.google.com/g/golang-announce/c/nqrv9fbR0zE
- https://errata.rockylinux.org/RLSA-2022:5775
- https://security-tracker.debian.org/tracker/CVE-2022-32148
- https://errata.rockylinux.org/RLSA-2022:8250
- https://errata.rockylinux.org/RLSA-2022:8057
- https://errata.rockylinux.org/RLSA-2022:5799
- https://access.redhat.com/errata/RHSA-2022:7648
- https://bugzilla.redhat.com/2107342
- https://bugzilla.redhat.com/2107371
- https://bugzilla.redhat.com/2107374
- https://bugzilla.redhat.com/2107383
Community-verified mitigations for this CVE will appear above when contributors publish them.
Verify integrity in audit chain (admin only). AS-IS.