[stork-users] CVE-2024-24791 - Stork is not affected

Slawek Figiel slawek at isc.org
Wed Jul 10 10:45:41 UTC 2024


Hello!

The Go team announced a new vulnerability - see CVE-2024-24791 and 
GO-2024-2963. The vulnerability has been patched in Go 1.22.5.

The vulnerability affects the HTTP connection clients. The malicious 
server can send responses that break the client connection and keep the 
client idle.

The govulncheck scanner warns that the Stork agent is vulnerable.

We analyzed the problem and concluded that the Stork agent is 
unaffected. The Stork agent only acts as a client of the HTTP connection 
when it sends a request to the Kea CA RestAPI. The Stork agent is always 
installed on the same machine as Kea CA, so communication is performed 
only locally. There is no possibility of injecting the malicious server 
between the peers or re-configuring the network to route the Stork agent 
to an attacker's host.

We decided not to prepare a security release to fix this vulnerability. 
We will patch it in the next scheduled release.

There is a related Gitlab issue: 
https://gitlab.isc.org/isc-projects/stork/-/issues/1446 .

Best regards,
Slawek Figiel
Stork team


More information about the Stork-users mailing list