[stork-users] CVE-2024-24791 - Stork is not affected
Slawek Figiel
slawek at isc.org
Wed Jul 10 10:45:41 UTC 2024
Hello!
The Go team announced a new vulnerability - see CVE-2024-24791 and
GO-2024-2963. The vulnerability has been patched in Go 1.22.5.
The vulnerability affects the HTTP connection clients. The malicious
server can send responses that break the client connection and keep the
client idle.
The govulncheck scanner warns that the Stork agent is vulnerable.
We analyzed the problem and concluded that the Stork agent is
unaffected. The Stork agent only acts as a client of the HTTP connection
when it sends a request to the Kea CA RestAPI. The Stork agent is always
installed on the same machine as Kea CA, so communication is performed
only locally. There is no possibility of injecting the malicious server
between the peers or re-configuring the network to route the Stork agent
to an attacker's host.
We decided not to prepare a security release to fix this vulnerability.
We will patch it in the next scheduled release.
There is a related Gitlab issue:
https://gitlab.isc.org/isc-projects/stork/-/issues/1446 .
Best regards,
Slawek Figiel
Stork team
More information about the Stork-users
mailing list