CVE-2024-24788: 
cAdvisor vulnerability analysis and mitigation

A vulnerability was discovered in the net package of the Go standard library, identified as CVE-2024-24788. The issue affects Go versions 1.22.0-0 prior to 1.22.3, where a malformed DNS message received in response to a query can cause the Lookup functions to get stuck in an infinite loop. The vulnerability was reported by GitHub user @long-name-let-people-remember-you and brought to attention by Mateusz Poliwczak (Golang Announce).

The vulnerability exists in the net package's DNS message handling functionality. When processing DNS responses, the affected Lookup functions can enter an infinite loop when encountering specifically malformed DNS messages. This affects multiple functions including LookupAddr, LookupCNAME, LookupHost, LookupIP, LookupMX, LookupNS, LookupSRV, and LookupTXT, among others. The issue has been assigned a CVSS v3.1 score of 7.5 (HIGH) with a vector of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H (NetApp Security).

The successful exploitation of this vulnerability could lead to a Denial of Service (DoS) condition. When triggered, the affected functions become stuck in an infinite loop, potentially causing high CPU usage and making the service unresponsive (NetApp Security).

The vulnerability has been fixed in Go versions 1.22.3 and 1.21.10. Users are advised to upgrade to these versions or later to address the issue. The fix was implemented through a patch that corrects the DNS message handling logic (Golang Announce).