Bug 1897635 (CVE-2020-28362)

Summary: CVE-2020-28362 golang: math/big: panic during recursive division of very large numbers
Product: [Other] Security Response Reporter: Guilherme de Almeida Suckevicz <gsuckevi>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: admiller, agerstmayr, ahajkova, ailan, alazar, alegrand, alitke, amctagga, amurdaca, anpicker, aoconnor, aos-bugs, aos-storage-staff, asm, bbaude, bbennett, bbreard, bbrownin, bmontgom, bniver, bodavis, cnv-qe-bugs, deparker, dhanak, dsimansk, dwalsh, ecordell, emachado, eparis, erooth, fdeutsch, flucifre, fweimer, gbrown, gmeno, grafana-maint, hchiramm, hvyas, imcleod, jakub, jburrell, jcajka, jcosta, jesusr, jhrozek, jkurik, jligon, jmulligan, jnovy, jokerman, josorior, jpadman, jshaughn, jwendell, jwon, kakkoyun, kconner, kingland, krathod, kverlaen, law, lchilton, lcosic, lemenkov, lgamliel, lsm5, madam, markito, maszulik, matzew, mbenjamin, mfilanov, mfojtik, mgoodwin, mhackett, mheon, miabbott, mloibl, mnewsome, mnovotny, mpolacek, mrajanna, mrogers, msivak, muagarwa, mwringe, nathans, nobody, nstielau, ohudlick, oyahud, pdhamdhe, phoracek, pkrupa, pthomas, puebele, rcernich, renich, rfreiman, rhel8-maint, rhs-bugs, rphillips, rrajasek, rtalur, sausingh, sbatsche, sfeifer, sgott, shurley, sipoyare, sostapov, sponnaga, stirabos, storage-qa-internal, surbania, swshanka, tjelinek, tnielsen, tstellar, tsweeney, twalsh, umohnani, vbatts, vereddy, virt-maint, xiyuan, ypadia
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
See Also: https://issues.redhat.com/browse/OSSM-322
https://issues.redhat.com/browse/OSSM-323
https://issues.redhat.com/browse/OSSM-324
https://issues.redhat.com/browse/OSSM-325
https://issues.redhat.com/browse/OSSM-326
https://issues.redhat.com/browse/OSSM-327
https://issues.redhat.com/browse/OSSM-328
https://issues.redhat.com/browse/OSSM-329
https://issues.redhat.com/browse/TRACING-1689
https://issues.redhat.com/browse/TRACING-1690
https://issues.redhat.com/browse/TRACING-1691
https://issues.redhat.com/browse/TRACING-1692
https://issues.redhat.com/browse/TRACING-1693
https://issues.redhat.com/browse/TRACING-1694
https://issues.redhat.com/browse/SRVCOM-1159
https://issues.redhat.com/browse/SRVCOM-1160
https://issues.redhat.com/browse/SRVCOM-1161
Whiteboard:
Fixed In Version: go 1.15.5, go 1.14.12 Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the math/big package of Go's standard library that causes a denial of service. Applications written in Go that use math/big via cryptographic packages, including crypto/rsa and crypto/x509, are vulnerable and can potentially cause panic via a crafted certificate chain. The highest threat from this vulnerability is to system availability.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2020-12-15 22:19:14 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1897636, 1897637, 1898659, 1898660, 1898820, 1898829, 1898835, 1898955, 1899185, 1902915, 1902916, 1902917, 1902918, 1902919, 1902920, 1902921, 1902922, 1902923, 1902924, 1902926, 1902927, 1902928, 1905509, 1905510, 1905511, 1905512, 1905513, 1905514, 1905515, 1905516, 1905517, 1905518, 1905520, 1905521, 1905522, 1905523, 1905524, 1905525, 1905526, 1905527, 1905528, 1905529, 1905530, 1905531, 1905533, 1905534, 1905535, 1905536, 1905537, 1905538, 1905539, 1905540, 1906015, 1906016, 1906017, 1906018, 1906019, 1906020, 1913515, 1914054, 1914055, 1914058, 1914059, 1916004, 1916187, 1916953, 1934654, 1934655, 1934657, 1934658, 1934659, 1934660, 1934661, 1934662, 1934663, 1935187, 1935188, 1935189, 1935190, 1935191, 1935192, 1935200, 1935203    
Bug Blocks: 1897651    

Description Guilherme de Almeida Suckevicz 2020-11-13 17:02:38 UTC 
A number of math/big.Int methods (Div, Exp, DivMod, Quo, Rem, QuoRem, Mod, ModInverse, ModSqrt, Jacobi, and GCD) can panic when provided crafted large inputs. For the panic to happen, the divisor or modulo argument must be larger than 3168 bits (on 32-bit architectures) or 6336 bits (on 64-bit architectures). Multiple math/big.Rat methods are similarly affected.

References:
https://groups.google.com/g/golang-announce/c/NpBGTTmKzpM/m/fLguyiM2CAAJ
https://github.com/golang/go/issues/42552
Comment 1 Guilherme de Almeida Suckevicz 2020-11-13 17:03:16 UTC 
Created golang tracking bugs for this issue:

Affects: epel-all [bug 1897637]
Affects: fedora-all [bug 1897636]
Comment 3 Przemyslaw Roguski 2020-11-19 16:12:48 UTC 
Upstream commit with fix:
https://github.com/golang/go/commit/1e1fa5903b760c6714ba17e50bf850b01f49135c
Comment 12 errata-xmlrpc 2020-12-03 11:19:46 UTC 
This issue has been addressed in the following products:

  Red Hat Developer Tools

Via RHSA-2020:5333 https://access.redhat.com/errata/RHSA-2020:5333
Comment 23 Sage McTaggart 2020-12-15 15:13:48 UTC 
Statement:

OpenShift ServiceMesh (OSSM) 1.1 is Out Of Support Scope (OOSS) for Moderate and Low impact vulnerabilities because it is now in the Maintenance Phase of the support.
Openshift Virtualization 1 (formerly Container Native Virtualization) is Out Of Support Scope (OOSS) for Moderate and Low impact vulnerabilities.

Red Hat Gluster Storage 3 shipped multi-cloud-object-gateway-cli and noobaa-operator container as a technical preview and is not currently planned to be addressed in future updates.

OpenShift Container Platform (OCP) 4.5 and earlier are built with Go versions earlier than 1.14, which are not affected by this vulnerability. OCP 4.6 is built with Go 1.15 and is affected.
Comment 24 errata-xmlrpc 2020-12-15 17:06:20 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2020:5493 https://access.redhat.com/errata/RHSA-2020:5493
Comment 25 Product Security DevOps Team 2020-12-15 22:19:14 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-28362
Comment 26 errata-xmlrpc 2021-01-14 13:38:53 UTC 
This issue has been addressed in the following products:

  Openshift Serverless 1 on RHEL 8

Via RHSA-2021:0145 https://access.redhat.com/errata/RHSA-2021:0145
Comment 27 errata-xmlrpc 2021-01-14 16:31:20 UTC 
This issue has been addressed in the following products:

  Openshift Serveless 1.12

Via RHSA-2021:0146 https://access.redhat.com/errata/RHSA-2021:0146
Comment 28 errata-xmlrpc 2021-01-18 16:03:56 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.6

Via RHSA-2021:0038 https://access.redhat.com/errata/RHSA-2021:0038
Comment 29 errata-xmlrpc 2021-01-18 17:34:13 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.6

Via RHSA-2021:0039 https://access.redhat.com/errata/RHSA-2021:0039
Comment 30 errata-xmlrpc 2021-01-18 17:57:09 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.6

Via RHSA-2021:0037 https://access.redhat.com/errata/RHSA-2021:0037
Comment 31 errata-xmlrpc 2021-02-16 09:18:42 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.6

Via RHSA-2021:0568 https://access.redhat.com/errata/RHSA-2021:0568
Comment 32 errata-xmlrpc 2021-02-16 13:16:29 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.6

Via RHSA-2021:0436 https://access.redhat.com/errata/RHSA-2021:0436
Comment 35 errata-xmlrpc 2021-02-24 15:10:22 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.7

Via RHSA-2020:5633 https://access.redhat.com/errata/RHSA-2020:5633
Comment 40 errata-xmlrpc 2021-03-10 11:15:46 UTC 
This issue has been addressed in the following products:

  RHEL-8-CNV-2.6

Via RHSA-2021:0799 https://access.redhat.com/errata/RHSA-2021:0799
Comment 41 errata-xmlrpc 2021-05-04 19:33:02 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.7

Via RHSA-2021:1366 https://access.redhat.com/errata/RHSA-2021:1366
Comment 42 Siddharth Sharma 2021-05-10 17:54:13 UTC 
This bug will be shipped as part of next z-stream release 4.7.11 on May 19th, as 4.7.10 was dropped.
Comment 43 Siddharth Sharma 2021-05-10 17:57:19 UTC 
This bug will be shipped as part of next z-stream release 4.7.11 on May 19th, as 4.7.10 was dropped due to a blocker https://bugzilla.redhat.com/show_bug.cgi?id=1958518.
Comment 45 errata-xmlrpc 2021-05-19 09:14:40 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Storage 4.7.0 on RHEL-8

Via RHSA-2021:2041 https://access.redhat.com/errata/RHSA-2021:2041
Comment 46 errata-xmlrpc 2021-05-19 10:23:11 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Storage 4.7.0 on RHEL-8

Via RHSA-2021:2042 https://access.redhat.com/errata/RHSA-2021:2042
Comment 47 errata-xmlrpc 2021-05-19 15:00:59 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.7

Via RHSA-2021:1551 https://access.redhat.com/errata/RHSA-2021:1551
Comment 49 errata-xmlrpc 2021-06-23 15:37:51 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Jaeger 1.17

Via RHSA-2021:2532 https://access.redhat.com/errata/RHSA-2021:2532
Comment 50 errata-xmlrpc 2021-06-24 15:19:45 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Jaeger 1.20

Via RHSA-2021:2543 https://access.redhat.com/errata/RHSA-2021:2543