Headline
CVE-2022-36055: Release Helm 3.9.4 · helm/helm
Helm is a tool for managing Charts. Charts are packages of pre-configured Kubernetes resources. Fuzz testing, provided by the CNCF, identified input to functions in the strvals package that can cause an out of memory panic. The strvals package contains a parser that turns strings in to Go structures. The strvals package converts these strings into structures Go can work with. Some string inputs can cause array data structures to be created causing an out of memory panic. Applications that use the strvals package in the Helm SDK to parse user supplied input can suffer a Denial of Service when that input causes a panic that cannot be recovered from. The Helm Client will panic with input to --set
, --set-string
, and other value setting flags that causes an out of memory panic. Helm is not a long running service so the panic will not affect future uses of the Helm client. This issue has been resolved in 3.9.4. SDK users can validate strings supplied by users won’t create large arrays causing significant memory usage before passing them to the strvals functions.
Helm v3.9.4 is a security (patch) release. Users are strongly recommended to update to this release.
While fuzz testing Helm, provided by the CNCF, a possible out of memory panic was discovered with the strvals package. Out of memory panics cannot be recovered from in Go. This can potentially be used to produce a denial of service (DOS). More details are available in the advisory.
The community keeps growing, and we’d love to see you there!
- Join the discussion in Kubernetes Slack:
- for questions and just to hang out
- for discussing PRs, code, and bugs
- Hang out at the Public Developer Call: Thursday, 9:30 Pacific via Zoom
- Test, debug, and contribute charts: ArtifactHub/packages
Installation and Upgrading
Download Helm v3.9.4. The common platform binaries are here:
- MacOS amd64 (checksum / fe5930feca6fd1bd2c57df01c1f381c6444d1c3d2b857526bf6cbfbd6bf906b4)
- MacOS arm64 (checksum / a73d91751153169781b3ab5b4702ba1a2631fc8242eba33828b5905870059312)
- Linux amd64 (checksum / 31960ff2f76a7379d9bac526ddf889fb79241191f1dbe2a24f7864ddcb3f6560)
- Linux arm (checksum / 18ce0f79dcd927fea5b714ca03299929dad05266192d4cde3de6b4c4d4544249)
- Linux arm64 (checksum / d24163e466f7884c55079d1050968e80a05b633830047116cdfd8ae28d35b0c0)
- Linux i386 (checksum / a37b0070e2f072050fdf4bd7430ffbe55390fee410eb0781cd01a0fe206eb963)
- Linux ppc64le (checksum / c63a951415c192397fda07c2f52aa60639b280920381c48d58be6803eb0c22f9)
- Linux s390x (checksum / 7fec97fa800d9bd981e2f42fb0908175db1f35da2d373a971ec7376fe4cb5451)
- Windows amd64 (checksum / 7cdc1342bc1863b6d5ce695fbef4d3b0d65c7c5bcef6ec6adf8fc9aa53821262)
This release was signed with 672C 657B E06B 4B30 969C 4A57 4614 49C2 5E36 B98E and can be found at @mattfarina keybase account. Please use the attached signatures for verifying this release using gpg.
The Quickstart Guide will get you going from there. For upgrade instructions or detailed installation notes, check the install guide. You can also use a script to install on any system with bash.
What’s Next
- 3.10.0 is the next feature release and will be on September 14, 2022
Related news
Vulnerability in the Oracle Demantra Demand Management product of Oracle Supply Chain (component: E-Business Collections). Supported versions that are affected are 12.1 and 12.2. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Demantra Demand Management. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Demantra Demand Management accessible data. CVSS 3.1 Base Score 7.5 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N).
IBM Db2U 3.5, 4.0, and 4.5 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts. IBM X-Force ID: 237210.
Fuzz testing, by Ada Logics and sponsored by the CNCF, identified input to functions in the _strvals_ package that can cause an out of memory panic. Out of memory panics cannot be recovered from. Applications that use functions from the _strvals_ package in the Helm SDK can have a Denial of Service attack when they use this package and it panics. ### Impact The _strvals_ package contains a parser that turns strings into Go structures. For example, the Helm client has command line flags like `--set`, `--set-string`, and others that enable the user to pass in strings that are merged into the values. The _strvals_ package converts these strings into structures Go can work with. Some string inputs can cause array data structures to be created causing an out of memory panic. Applications that use the _strvals_ package in the Helm SDK to parse user supplied input can suffer a Denial of Service when that input causes a panic that cannot be recovered from. The Helm Client will panic with i...