Bug 1804533 (CVE-2020-9283)

Summary: CVE-2020-9283 golang.org/x/crypto: Processing of crafted ssh-ed25519 public keys allows for panic
Product: [Other] Security Response Reporter: Sam Fowler <sfowler>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: abonas, adahiya, agarcial, alitke, aos-bugs, aos-storage-staff, asm, bbennett, bmontgom, bpeterse, cnv-qe-bugs, deparker, dgoodwin, ecordell, eparis, fdeutsch, gbrown, hchiramm, hvyas, jburrell, jcantril, jesusr, jmulligan, jokerman, kconner, knewcome, madam, maszulik, mcooper, mfojtik, mpatel, nstielau, phoracek, puebele, rcernich, rhs-bugs, rphillips, sd-operator-metering, sfowler, sgott, shurley, sisharma, sponnaga, storage-qa-internal, sttts, tjelinek, tsmetana, tstellar, vbellur
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: golang.org/x/crypto 0.0.0-20200220183623-bac4c82f6975 Doc Type: If docs needed, set a value
Doc Text:
A denial of service vulnerability was found in the SSH package of the golang.org/x/crypto library. An attacker could exploit this flaw by supplying crafted SSH ed25519 keys to cause a crash in applications that use this package as either an SSH client or server.
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-07-07 01:27:37 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On: 1806489, 1808167, 1808168, 1808178, 1808180, 1808215, 1808221, 1808233, 1857612, 1857613, 1857614, 1857615, 1857616, 1857617, 1857618, 1857619, 1857620, 1857621, 1857622, 1857623, 1857624, 1857625, 1857626, 1857628, 1857629, 1857630, 1857631, 1857632, 1857633, 1857634, 1857635, 1857636, 1857637, 1857638, 1857639, 1857640, 1857641, 1857642, 1857643, 1857644, 1857645, 1857646, 1857647, 1857648, 1806494, 1808163, 1808164, 1808165, 1808166, 1808169, 1808170, 1808171, 1808172, 1808173, 1808174, 1808175, 1808176, 1808177, 1808179, 1808181, 1808182, 1808199, 1808200, 1808201, 1808202, 1808204, 1808205, 1808206, 1808207, 1808208, 1808209, 1808210, 1808211, 1808212, 1808213, 1808214, 1808216, 1808217, 1808218, 1808219, 1808220, 1808222, 1808223, 1808224, 1808225, 1808226, 1808227, 1808228, 1808229, 1808230, 1808231, 1808232, 1808234, 1808243, 1808244, 1808246, 1808247, 1808248, 1808251, 1808252, 1821598, 1821623, 1837979, 1837987, 1843575, 1854385, 1857071    
Bug Blocks: 1804534    

Description Sam Fowler 2020-02-19 04:20:25 UTC
An attacker can craft an ssh-ed25519 or sk-ssh-ed25519@openssh.com public key, such that the library will panic when trying to verify a signature with it. Clients can deliver such a public key and signature to any golang.org/x/crypto/ssh server with a PublicKeyCallback, and servers can deliver them to any golang.org/x/crypto/ssh client.


Reference:

https://groups.google.com/forum/#!topic/kubernetes-security-discuss/s15RxeNdBLc

Comment 1 Sam Fowler 2020-02-24 00:13:49 UTC
External Reference:

https://groups.google.com/forum/#!topic/golang-announce/3L45YRc91SY

Comment 11 Sam Fowler 2020-02-28 01:08:41 UTC
Statement:

OpenShift Container Platform uses the vulnerable library in a number of components but strictly as an SSH client. The severity of this vulnerability is reduced for clients as it requires connections to malicious SSH servers, with the maximum impact only a client crash. This vulnerability is rated Low for OpenShift Container Platform.

Comment 24 errata-xmlrpc 2020-07-06 20:12:54 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.4

Via RHSA-2020:2790 https://access.redhat.com/errata/RHSA-2020:2790

Comment 25 errata-xmlrpc 2020-07-06 20:14:17 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.4

Via RHSA-2020:2793 https://access.redhat.com/errata/RHSA-2020:2793

Comment 26 errata-xmlrpc 2020-07-06 20:30:30 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.4

Via RHSA-2020:2789 https://access.redhat.com/errata/RHSA-2020:2789

Comment 27 Product Security DevOps Team 2020-07-07 01:27:37 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-9283

Comment 28 errata-xmlrpc 2020-07-13 17:23:09 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.5

Via RHSA-2020:2412 https://access.redhat.com/errata/RHSA-2020:2412

Comment 32 errata-xmlrpc 2020-07-14 01:20:54 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.4

Via RHSA-2020:2878 https://access.redhat.com/errata/RHSA-2020:2878

Comment 38 errata-xmlrpc 2020-07-28 12:49:11 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.4

Via RHSA-2020:3078 https://access.redhat.com/errata/RHSA-2020:3078

Comment 39 errata-xmlrpc 2020-08-06 20:16:21 UTC
This issue has been addressed in the following products:

  Jaeger-1.17

Via RHSA-2020:3370 https://access.redhat.com/errata/RHSA-2020:3370

Comment 40 errata-xmlrpc 2020-08-06 20:17:46 UTC
This issue has been addressed in the following products:

  OpenShift Service Mesh 1.1
  Openshift Service Mesh 1.1

Via RHSA-2020:3369 https://access.redhat.com/errata/RHSA-2020:3369

Comment 41 errata-xmlrpc 2020-08-06 20:21:48 UTC
This issue has been addressed in the following products:

  OpenShift Service Mesh 1.0

Via RHSA-2020:3372 https://access.redhat.com/errata/RHSA-2020:3372

Comment 42 errata-xmlrpc 2020-08-12 04:48:57 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.5

Via RHSA-2020:3414 https://access.redhat.com/errata/RHSA-2020:3414