CVE-2024-24791 (go update)

The Go team announced a new vulnerability - see CVE-2024-24791 and GO-2024-2963. The vulnerability has been patched in Go 1.22.5.

The govulncheck scanner warns that the Stork agent is vulnerable.

The vulnerability affects the HTTP connection clients. The malicious server can send responses that break the client connection and keep it idle.

We analyzed the problem and concluded that the Stork agent is unaffected. The Stork agent only acts as a client of the HTTP connection when it sends a request to the Kea CA RestAPI. The Stork agent is always installed on the same machine as Kea CA, so communication is performed only locally. There is no possibility of injecting the malicious server between the peers or re-configuring the network to route the Stork agent to an attacker's host.

We decided not to prepare a security release to fix this vulnerability. We will patch it in the next scheduled release.