Bug 2030787 (CVE-2021-43565)

Summary: CVE-2021-43565 golang.org/x/crypto: empty plaintext packet causes panic
Product: [Other] Security Response Reporter: Guilherme de Almeida Suckevicz <gsuckevi>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: abishop, admiller, amctagga, amuller, amurdaca, anharris, anpicker, aos-bugs, aos-install, asm, ataylor, bdettelb, bmontgom, bniver, bodavis, caswilli, chazlett, cnv-qe-bugs, crarobin, dbecker, dbenoit, dwhatley, dymurray, emachado, eparis, erooth, etamir, fdeutsch, fjansen, flucifre, gmeno, godas, gparvin, hchiramm, hvyas, ibolton, jakob, jarrpa, jary, jburrell, jcajka, jjoyce, jmadigan, jmatthew, jmontleo, jmulligan, joelsmith, jpadman, jramanat, jross, jschluet, jshaughn, jwendell, jwong, jwon, kaycoth, krathod, l.angnerfrancesco, lball, lemenkov, lhh, lhinds, lmadsen, lpeer, madam, maszulik, matzew, mbenjamin, mburns, mfojtik, mgarciac, mhackett, mkleinhe, mnewsome, mrunge, nbecker, ngough, njean, nobody, nstielau, ocs-bugs, pahickey, pamccart, phoracek, rcernich, rfreiman, rhos-maint, rhs-bugs, rhuss, rkieley, rrajasek, rtalur, sabose, sclewis, sgott, slinaber, slucidi, sostapov, spasquie, sponnaga, sseago, stcannon, sttts, tcarlin, tnielsen, tstellar, twalsh, vereddy, vkumar, xxia
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: golang.org/x/crypto 0.0.0-20211202192323-5770296d904e Doc Type: If docs needed, set a value
Doc Text:
There's an input validation flaw in golang.org/x/crypto's readCipherPacket() function. An unauthenticated attacker who sends an empty plaintext packet to a program linked with golang.org/x/crypto/ssh could cause a panic, potentially leading to denial of service.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2022-06-28 10:36:07 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2038320, 2038325, 2030788, 2030789, 2030790, 2031630, 2031631, 2031632, 2031633, 2031634, 2033831, 2033832, 2033833, 2033834, 2033835, 2033836, 2034206, 2034207, 2034208, 2038312, 2038313, 2038314, 2038315, 2038316, 2038317, 2038318, 2038319, 2038321, 2038322, 2038323, 2038324, 2038326, 2038327, 2038328, 2038329, 2038331, 2038332, 2038333, 2038334, 2038335, 2038336, 2038337, 2038338, 2038339, 2038340, 2038341, 2038342, 2038343, 2038344, 2038345, 2038346, 2038347, 2038348, 2038349, 2038350, 2038351, 2038352, 2038353, 2038354, 2038355, 2038356, 2038357, 2038358, 2038359, 2038360, 2038361, 2038362, 2038363, 2038364, 2038365, 2038366, 2038367, 2038368, 2038369, 2038370, 2038371, 2038372, 2038373, 2038374, 2038375, 2038376, 2038377, 2038378, 2038379, 2038380, 2038381, 2038382, 2039138, 2039139, 2039145, 2039146, 2039147, 2039148, 2039150, 2039151, 2039493, 2039494, 2039495, 2039496, 2039497, 2039499, 2039578, 2039580, 2039581, 2040441, 2040532, 2043226, 2043227, 2043229, 2043232, 2043270, 2043272, 2043275, 2043279, 2043280, 2043282, 2043285, 2043286, 2043287, 2043288, 2043290, 2043291, 2043300, 2043302, 2043304, 2043305, 2043306, 2043307, 2043308, 2043309, 2043673, 2044480, 2045901, 2047919, 2047922, 2048835, 2076689, 2076691, 2076692, 2076693, 2076694, 2076695, 2088189, 2088190    
Bug Blocks: 2030812    

Description Guilherme de Almeida Suckevicz 2021-12-09 18:12:30 UTC 
Version v0.0.0-20211202192323-5770296d904e of golang.org/x/crypto fixes a vulnerability in the golang.org/x/crypto/ssh package which allowed unauthenticated clients to cause a panic in SSH servers.

Reference:
https://github.com/golang/go/issues/49932
Comment 1 Guilherme de Almeida Suckevicz 2021-12-09 18:13:19 UTC 
Created golang tracking bugs for this issue:

Affects: epel-all [bug 2030788]
Affects: fedora-all [bug 2030790]
Affects: openstack-rdo [bug 2030789]
Comment 2 Summer Long 2021-12-10 04:25:34 UTC 
Upstream change: https://go-review.googlesource.com/c/crypto/+/368814/
Comment 19 errata-xmlrpc 2022-02-22 21:58:04 UTC 
This issue has been addressed in the following products:

  Red Hat Advanced Cluster Management for Kubernetes 2.3 for RHEL 7
  Red Hat Advanced Cluster Management for Kubernetes 2.3 for RHEL 8

Via RHSA-2022:0595 https://access.redhat.com/errata/RHSA-2022:0595
Comment 20 errata-xmlrpc 2022-03-03 06:58:11 UTC 
This issue has been addressed in the following products:

  Red Hat Advanced Cluster Management for Kubernetes 2.4 for RHEL 8

Via RHSA-2022:0735 https://access.redhat.com/errata/RHSA-2022:0735
Comment 21 errata-xmlrpc 2022-03-28 14:15:51 UTC 
This issue has been addressed in the following products:

  Red Hat Advanced Cluster Management for Kubernetes 2.3 for RHEL 8

Via RHSA-2022:1081 https://access.redhat.com/errata/RHSA-2022:1081
Comment 22 errata-xmlrpc 2022-04-07 17:59:04 UTC 
This issue has been addressed in the following products:

  OpenShift Service Mesh 2.0

Via RHSA-2022:1276 https://access.redhat.com/errata/RHSA-2022:1276
Comment 23 errata-xmlrpc 2022-04-13 15:31:05 UTC 
This issue has been addressed in the following products:

  RHODF-4.10-RHEL-8

Via RHSA-2022:1361 https://access.redhat.com/errata/RHSA-2022:1361
Comment 24 errata-xmlrpc 2022-04-13 18:49:26 UTC 
This issue has been addressed in the following products:

  RHODF-4.10-RHEL-8

Via RHSA-2022:1372 https://access.redhat.com/errata/RHSA-2022:1372
Comment 25 errata-xmlrpc 2022-04-20 23:46:04 UTC 
This issue has been addressed in the following products:

  Red Hat Advanced Cluster Management for Kubernetes 2.4 for RHEL 8

Via RHSA-2022:1476 https://access.redhat.com/errata/RHSA-2022:1476
Comment 26 errata-xmlrpc 2022-05-03 16:43:11 UTC 
This issue has been addressed in the following products:

  Red Hat Advanced Cluster Management for Kubernetes 2.4 for RHEL 8

Via RHSA-2022:1681 https://access.redhat.com/errata/RHSA-2022:1681
Comment 27 errata-xmlrpc 2022-06-09 02:06:07 UTC 
This issue has been addressed in the following products:

  Red Hat Advanced Cluster Management for Kubernetes 2.5 for RHEL 8

Via RHSA-2022:4956 https://access.redhat.com/errata/RHSA-2022:4956
Comment 28 errata-xmlrpc 2022-06-27 17:03:30 UTC 
This issue has been addressed in the following products:

  Red Hat Advanced Cluster Management for Kubernetes 2.4 for RHEL 8

Via RHSA-2022:5201 https://access.redhat.com/errata/RHSA-2022:5201
Comment 29 Product Security DevOps Team 2022-06-28 10:36:02 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2021-43565
Comment 30 errata-xmlrpc 2022-07-20 15:48:35 UTC 
This issue has been addressed in the following products:

  Red Hat OpenStack Platform 16.2

Via RHSA-2022:5673 https://access.redhat.com/errata/RHSA-2022:5673
Comment 31 errata-xmlrpc 2022-12-13 02:11:33 UTC 
This issue has been addressed in the following products:

  RHOSS-1.26-RHEL-8

Via RHSA-2022:8938 https://access.redhat.com/errata/RHSA-2022:8938
Comment 32 l.angnerfrancesco 2023-01-20 11:19:05 UTC Comment hidden (spam)
Comment 35 errata-xmlrpc 2024-05-21 14:06:28 UTC 
This issue has been addressed in the following products:

  RHEL-8 based Middleware Containers

Via RHSA-2024:2944 https://access.redhat.com/errata/RHSA-2024:2944