CVE-2022-27191: 
cAdvisor vulnerability analysis and mitigation

The golang.org/x/crypto/ssh package before version 0.0.0-20220314234659-1baeb1ce4c0b contains a vulnerability identified as CVE-2022-27191. The vulnerability was discovered and disclosed in March 2022, affecting Go applications using the crypto/ssh package. The vulnerability specifically impacts servers that have been configured using ServerConfig.AddHostKey with certain types of Signers (Golang Announce).

The vulnerability occurs under specific conditions where a server has been configured by passing a Signer to ServerConfig.AddHostKey, the Signer does not implement AlgorithmSigner, and the Signer returns a key of type "ssh-rsa" from its PublicKey method. Servers that only use Signer implementations provided by the ssh package are unaffected. The vulnerability has been assigned a CVSS score of 7.5 (HIGH) with a vector of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H (NetApp Security).

When successfully exploited, this vulnerability could lead to a Denial of Service (DoS) condition by causing the server to crash. The impact is limited to availability, with no direct effect on confidentiality or integrity of the system (NetApp Security).

The vulnerability has been fixed in golang.org/x/crypto/ssh version 0.0.0-20220314234659-1baeb1ce4c0b and later. Users should update to this version or newer to address the vulnerability. Various Linux distributions have also released security updates to address this issue, including Fedora and Debian (Debian Security).