Bug 1918750 (CVE-2021-3114)

Summary: CVE-2021-3114 golang: crypto/elliptic: incorrect operations on the P-224 curve
Product: [Other] Security Response Reporter: Michael Kaplan <mkaplan>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: admiller, agerstmayr, ahajkova, ailan, alazar, alegrand, alitke, amctagga, amurdaca, anharris, anpicker, aoconnor, aos-bugs, aos-storage-staff, asm, bbaude, bbennett, bbreard, bbrownin, bmontgom, bniver, bodavis, bthurber, cnv-qe-bugs, dbenoit, deparker, desktop-qa-list, dfreiber, dmalcolm, dramseur, dsimansk, dwalsh, ecordell, emachado, eparis, erooth, fdeutsch, flucifre, fweimer, gcovolo, ggasparb, gmeno, grafana-maint, hchiramm, hgomes, hvyas, imcleod, jakub, jburrell, jcajka, jcantril, jchaloup, jcosta, jhrozek, jhunter, jkurik, jligon, jmulligan, jnovy, jokerman, josorior, jpadman, jshaughn, jwendell, jwon, kakkoyun, kconner, kmitts, krathod, lball, lcosic, lemenkov, lgamliel, lsm5, madam, maszulik, matzew, mbenjamin, mboddu, mfilanov, mfojtik, mgala, mgoodwin, mhackett, mhaicman, mheon, mjudeiki, mlysonek, mnewsome, mpolacek, mrajanna, mrogers, msivak, muagarwa, mwringe, nalin, nathans, nbecker, nobody, nstielau, ohudlick, oyahud, pcpbot, pdhamdhe, phoracek, pkrupa, pthomas, puebele, rcernich, renich, rfreiman, rhel8-maint, rhs-bugs, rhuss, rjones, rogbas, rphillips, rrajasek, rtalur, sbatsche, scox, security-response-team, sgott, shilpsha, shurley, sipoyare, skolicha, skontopo, sostapov, sponnaga, stirabos, storage-qa-internal, surbania, swshanka, team-winc, tjelinek, tnielsen, tnisan, tstellar, tsweeney, twalsh, umohnani, vbatts, vereddy, virt-maint, vkumar, vpolasek, wsato, xiyuan, ypadia
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: go 1.15.7, go 1.14.14 Doc Type: If docs needed, set a value
Doc Text:
A flaw detected in golang: crypto/elliptic, in which P-224 keys as generated can return incorrect inputs, reducing the strength of the cryptography. The highest threat from this vulnerability is confidentiality and integrity.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2021-03-30 05:35:09 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1926306, 1918751, 1918752, 1918755, 1919261, 1919264, 1921144, 1921145, 1921147, 1921148, 1925082, 1926291, 1926292, 1926293, 1926294, 1926295, 1926296, 1926297, 1926298, 1926307, 1926308, 1926387, 1926388, 1926389, 1926390, 1926391, 1926392, 1926393, 1926394, 1926395, 1926396, 1926397, 1926398, 1926399, 1926400, 1926401, 1926402, 1926403, 1926404, 1926405, 1926406, 1926407, 1926408, 1926409, 1926410, 1926411, 1926412, 1926413, 1926414, 1926415, 1926416, 1926417, 1926418, 1926419, 1926420, 1926421, 1926422, 1926423, 1926424, 1926425, 1926426, 1926427, 1926428, 1926429, 1926430, 1926433, 1926434, 1926435, 1926436, 1926437, 1926441, 1926804, 1926805, 1926806, 1926807, 1926808, 1926809, 1926810, 1926811, 1926812, 1926813, 1926814, 1926815, 1926816, 1926817, 1926844, 1926845, 1926846, 1926847, 1926848, 1926849, 1929068, 1929069, 1929070, 1929071, 1929072, 1929073, 1929074, 1929075, 1929076, 1929077, 1929078, 1929079, 1929080, 1929081, 1929082, 1929083, 1929084, 1929085, 1929086, 1929087, 1929088, 1929089, 1929090, 1929091, 1929092, 1929093, 1929094, 1929095, 1929096, 1929097, 1929098, 1929100, 1930116, 1930117, 1930118, 1930119, 1930120, 1930121, 1930122, 1930123, 1930124, 1930125, 1930126, 1930127, 1930128, 1930129, 1930130, 1930131, 1930132, 1930148, 1930149, 1930162, 1942847, 1956489, 1956491, 2004046    
Bug Blocks: 1918758    

Description Michael Kaplan 2021-01-21 14:01:43 UTC 
The crypto/x509 and golang.org/x/crypto/ocsp (but not crypto/tls) packages support P-224 ECDSA keys, but they are not supported by publicly trusted certificate authorities. No other standard library or golang.org/x/crypto package supports or uses the P-224 curve.
Comment 1 Michael Kaplan 2021-01-21 14:02:14 UTC 
Created golang tracking bugs for this issue:

Affects: epel-all [bug 1918752]
Affects: fedora-all [bug 1918751]
Comment 5 Sage McTaggart 2021-01-27 15:38:57 UTC 
https://go-review.googlesource.com/c/go/+/284779/ Upstream patch
Comment 6 Hardik Vyas 2021-01-29 12:50:38 UTC 
Upstream issue and commit:

https://github.com/golang/go/issues/43786
https://github.com/golang/go/commit/d95ca9138026cbe40e0857d76a81a16d03230871
Comment 7 Hardik Vyas 2021-01-29 12:50:58 UTC 
External References:

https://groups.google.com/g/golang-announce/c/mperVMGa98w
Comment 13 Przemyslaw Roguski 2021-02-08 18:46:34 UTC 
Statement:

OpenShift ServiceMesh (OSSM) 1.1 is Out Of Support Scope (OOSS) for Moderate and Low impact vulnerabilities because it is now in the Maintenance Phase of the support.
Comment 31 errata-xmlrpc 2021-03-30 04:19:57 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.7

Via RHSA-2021:0958 https://access.redhat.com/errata/RHSA-2021:0958
Comment 32 errata-xmlrpc 2021-03-30 04:46:27 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.7

Via RHSA-2021:0957 https://access.redhat.com/errata/RHSA-2021:0957
Comment 33 Product Security DevOps Team 2021-03-30 05:35:09 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2021-3114
Comment 34 errata-xmlrpc 2021-04-22 18:17:44 UTC 
This issue has been addressed in the following products:

  Openshift Serverless 1 on RHEL 8

Via RHSA-2021:1339 https://access.redhat.com/errata/RHSA-2021:1339
Comment 35 errata-xmlrpc 2021-04-22 19:07:39 UTC 
This issue has been addressed in the following products:

  Openshift Serveless 1.14

Via RHSA-2021:1338 https://access.redhat.com/errata/RHSA-2021:1338
Comment 36 errata-xmlrpc 2021-05-04 19:33:08 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.7

Via RHSA-2021:1366 https://access.redhat.com/errata/RHSA-2021:1366
Comment 37 Siddharth Sharma 2021-05-10 17:57:33 UTC 
This bug will be shipped as part of next z-stream release 4.7.11 on May 19th, as 4.7.10 was dropped due to a blocker https://bugzilla.redhat.com/show_bug.cgi?id=1958518.
Comment 40 errata-xmlrpc 2021-05-18 14:43:28 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2021:1746 https://access.redhat.com/errata/RHSA-2021:1746
Comment 41 errata-xmlrpc 2021-05-19 04:02:33 UTC 
This issue has been addressed in the following products:

  Openshift Serveless 1.10

Via RHSA-2021:2021 https://access.redhat.com/errata/RHSA-2021:2021
Comment 42 errata-xmlrpc 2021-05-19 09:14:48 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Storage 4.7.0 on RHEL-8

Via RHSA-2021:2041 https://access.redhat.com/errata/RHSA-2021:2041
Comment 43 errata-xmlrpc 2021-05-19 15:01:05 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.7

Via RHSA-2021:1551 https://access.redhat.com/errata/RHSA-2021:1551
Comment 44 errata-xmlrpc 2021-05-24 13:05:36 UTC 
This issue has been addressed in the following products:

  Openshift Serveless 1.14

Via RHSA-2021:2093 https://access.redhat.com/errata/RHSA-2021:2093
Comment 45 errata-xmlrpc 2021-05-24 16:05:28 UTC 
This issue has been addressed in the following products:

  Openshift Serverless 1 on RHEL 8

Via RHSA-2021:2095 https://access.redhat.com/errata/RHSA-2021:2095
Comment 47 errata-xmlrpc 2021-06-23 15:37:53 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Jaeger 1.17

Via RHSA-2021:2532 https://access.redhat.com/errata/RHSA-2021:2532
Comment 49 errata-xmlrpc 2021-06-24 15:19:46 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Jaeger 1.20

Via RHSA-2021:2543 https://access.redhat.com/errata/RHSA-2021:2543
Comment 50 errata-xmlrpc 2021-07-27 14:19:43 UTC 
This issue has been addressed in the following products:

  RHEL-8-CNV-4.8

Via RHSA-2021:2920 https://access.redhat.com/errata/RHSA-2021:2920
Comment 51 errata-xmlrpc 2021-07-27 22:07:25 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.8

Via RHSA-2021:2437 https://access.redhat.com/errata/RHSA-2021:2437
Comment 52 errata-xmlrpc 2021-07-27 22:31:41 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.8

Via RHSA-2021:2438 https://access.redhat.com/errata/RHSA-2021:2438
Comment 55 errata-xmlrpc 2021-08-10 17:33:37 UTC 
This issue has been addressed in the following products:

  RHEL-8-CNV-2.6

Via RHSA-2021:3119 https://access.redhat.com/errata/RHSA-2021:3119
Comment 57 errata-xmlrpc 2021-10-07 14:17:44 UTC 
This issue has been addressed in the following products:

  Red Hat Gluster Storage 3.5 for RHEL 7

Via RHSA-2021:3748 https://access.redhat.com/errata/RHSA-2021:3748
Comment 59 errata-xmlrpc 2021-11-02 13:31:35 UTC 
This issue has been addressed in the following products:

  RHEL-7-CNV-4.9
  RHEL-8-CNV-4.9

Via RHSA-2021:4103 https://access.redhat.com/errata/RHSA-2021:4103
Comment 60 errata-xmlrpc 2021-11-09 17:48:35 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2021:4226 https://access.redhat.com/errata/RHSA-2021:4226
Comment 61 errata-xmlrpc 2022-01-27 13:11:59 UTC 
This issue has been addressed in the following products:

  Red Hat Gluster Storage 3.5 for RHEL 7
  Native Client for RHEL 7 for Red Hat Storage

Via RHSA-2022:0308 https://access.redhat.com/errata/RHSA-2022:0308
Comment 62 Red Hat Bugzilla 2024-02-07 04:25:05 UTC 
The needinfo request[s] on this closed bug have been removed as they have been unresolved for 120 days