CVE-2024-24786

La función protojson.Unmarshal puede entrar en un bucle infinito al descomponer ciertas formas de JSON no válido. Esta condición puede ocurrir al descomponer en un mensaje que contiene un valor google.protobuf.Any, o cuando la opción UnmarshalOptions.DiscardUnknown está configurada.

A flaw was found in Golang's protobuf module, where the unmarshal function can enter an infinite loop when processing certain invalid inputs. This issue occurs during unmarshaling into a message that includes a google.protobuf.Any or when the UnmarshalOptions.DiscardUnknown option is enabled. This flaw allows an attacker to craft malicious input tailored to trigger the identified flaw in the unmarshal function. By providing carefully constructed invalid inputs, they could potentially cause the function to enter an infinite loop, resulting in a denial of service condition or other unintended behaviors in the affected system.

This update for kubernetes1.23 fixes the following issues. Escape, meta and control sequences in raw data output to terminal not neutralized. Bypass of policies imposed by the ImagePolicyWebhook admission plugin. Bypass of the mountable secrets policy enforced by the ServiceAccount admission plugin. Go1.20: excessive resource consumption when dealing with rapid stream resets. Google.golang.org/grpc, kube-apiserver: HTTP/2 rapid reset vulnerability. Golang.org/x/net: excessive CPU consumption when processing unlimited sets of headers. Kube-controller-manager pod crash when processing malformed HPA v1 manifests. Bypass of the mountable secrets policy enforced by the ServiceAccount admission plugin. Github.com/golang/protobuf: infinite loop when unmarshaling invalid JSON. Bug fixes. Use -trimpath in non-DBG mode for reproducible builds. Fixed multiple issues for successful 'kubeadm init' run. Update go to version 1.22.5 in build requirements.