Bug 2053429 (CVE-2022-23806)
Summary: | CVE-2022-23806 golang: crypto/elliptic: IsOnCurve returns true for invalid field elements | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Vipul Nair <vinair> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED ERRATA | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | unspecified | CC: | abishop, adam.kaplan, agarcial, akashem, alitke, amctagga, amuller, amurdaca, anharris, anpicker, aos-bugs, aos-install, aos-network-edge-staff, aos-odin-bot, aos-storage-staff, aos-team-ota, arane, asm, bbennett, bcoca, bdettelb, bmontgom, bniver, bodavis, carangog, carl, caswilli, cmarinea, cmeyers, cnv-qe-bugs, dagray, davidn, dbecker, dbenoit, dholler, dornelas, dperaza, dwalsh, dwd, dwest, dwhatley, dymurray, eglynn, emachado, eparis, erooth, etamir, ewolinet, fdeutsch, fjansen, flucifre, gblomqui, gmeno, go-sig, gparvin, hchiramm, hvyas, ibolton, jaharrin, jakob, jarrpa, jburrell, jcajka, jcammara, jcantril, jeder, jerzhang, jhadvig, jhardy, jhrozek, jitsingh, jjoyce, jlanford, jligon, jmatthew, jmencak, jmittapa, jmontleo, jobarker, joelsmith, jokerman, jortel, jpadman, jramanat, jschluet, jwendell, jwong, jwon, kaycoth, krathod, lball, lemenkov, lhh, lhinds, link, lmadsen, lmeyer, lpeer, mabashia, madam, maszulik, matzew, mbenjamin, mburns, mfojtik, mgarciac, mhackett, mmagr, mnewsome, mrogers, mrunge, mrussell, mthoemme, nbecker, njean, nobody, notting, nstielau, obulatov, ocs-bugs, osapryki, ovanders, pahickey, pakotvan, pbhattac, pegoncal, quantum.analyst, rcernich, relrod, rfreiman, rhcos-triage, rhuss, rpetrell, rphillips, rrajasek, sabose, sanchezl, sclewis, sd-operator-metering, sdoran, sejug, sfowler, sgott, shardy, sipoyare, slaznick, slinaber, slucidi, smcdonal, sostapov, spandura, spasquie, sponnaga, spower, sseago, stcannon, stirabos, sttts, suprs, surbania, tcarlin, team-winc, tkasparek, tkral, tkuratom, tnielsen, tstellar, tsweeney, twalsh, vereddy, vkumar, whayutin, xiyuan, xxia, ypadia, ytale |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | go 1.17.7, go 1.16.14 | Doc Type: | If docs needed, set a value |
Doc Text: |
A flaw was found in the elliptic package of the crypto library in golang when the IsOnCurve function could return true for invalid field elements. This flaw allows an attacker to take advantage of this undefined behavior, affecting the availability and integrity of the resource.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2022-05-11 16:15:31 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 2063937, 2063939, 2073715, 2073716, 2053432, 2053433, 2054628, 2054668, 2054845, 2056095, 2056098, 2056102, 2056513, 2056514, 2057118, 2057120, 2058179, 2058180, 2058181, 2058182, 2058183, 2058184, 2066428, 2067552, 2068603, 2068662, 2068663, 2068664, 2068670, 2068671, 2068673, 2068803, 2068827, 2068828, 2068829, 2068836, 2080392, 2080393, 2080394, 2080395, 2080396, 2080397, 2080398, 2080399, 2080400, 2080401, 2080402, 2080403, 2080404, 2080405, 2080406, 2093366, 2093367, 2093369, 2093370, 2168805 | ||
Bug Blocks: | 2053423, 2053545 |
Description
Vipul Nair
2022-02-11 09:51:02 UTC
Created golang tracking bugs for this issue: Affects: epel-all [bug 2053432] Affects: fedora-all [bug 2053433] This issue has been addressed in the following products: Red Hat Advanced Cluster Management for Kubernetes 2.3 for RHEL 8 Via RHSA-2022:1081 https://access.redhat.com/errata/RHSA-2022:1081 This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2022:1819 https://access.redhat.com/errata/RHSA-2022:1819 This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2022-23806 This issue has been addressed in the following products: Openshift Serverless 1 on RHEL 8 Via RHSA-2022:4860 https://access.redhat.com/errata/RHSA-2022:4860 This issue has been addressed in the following products: Openshift Serveless 1.22 Via RHSA-2022:4863 https://access.redhat.com/errata/RHSA-2022:4863 This issue has been addressed in the following products: Red Hat Advanced Cluster Management for Kubernetes 2.5 for RHEL 8 Via RHSA-2022:4956 https://access.redhat.com/errata/RHSA-2022:4956 This issue has been addressed in the following products: OpenShift Service Mesh 2.1 Via RHSA-2022:5004 https://access.redhat.com/errata/RHSA-2022:5004 This issue has been addressed in the following products: OpenShift Service Mesh 2.1 Via RHSA-2022:5006 https://access.redhat.com/errata/RHSA-2022:5006 This issue has been addressed in the following products: Red Hat Advanced Cluster Management for Kubernetes 2.4 for RHEL 8 Via RHSA-2022:5201 https://access.redhat.com/errata/RHSA-2022:5201 This issue has been addressed in the following products: Red Hat Advanced Cluster Management for Kubernetes 2.3 for RHEL 8 Red Hat Advanced Cluster Management for Kubernetes 2.3 for RHEL 7 Via RHSA-2022:5392 https://access.redhat.com/errata/RHSA-2022:5392 This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.10 Via RHSA-2022:5875 https://access.redhat.com/errata/RHSA-2022:5875 This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.11 Ironic content for Red Hat OpenShift Container Platform 4.11 Via RHSA-2022:5068 https://access.redhat.com/errata/RHSA-2022:5068 This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.10 Via RHSA-2022:6094 https://access.redhat.com/errata/RHSA-2022:6094 This issue has been addressed in the following products: Red Hat OpenShift Data Foundation 4.11 on RHEL8 Via RHSA-2022:6156 https://access.redhat.com/errata/RHSA-2022:6156 This issue has been addressed in the following products: RHEL-8-CNV-4.11 Via RHSA-2022:6526 https://access.redhat.com/errata/RHSA-2022:6526 This issue has been addressed in the following products: RHEL-8-CNV-4.12 Via RHSA-2023:0408 https://access.redhat.com/errata/RHSA-2023:0408 This issue has been addressed in the following products: STF-1.5-RHEL-8 Via RHSA-2023:1529 https://access.redhat.com/errata/RHSA-2023:1529 |