Bug 2092793 (CVE-2022-30629)

Summary: CVE-2022-30629 golang: crypto/tls: session tickets lack random ticket_age_add
Product: [Other] Security Response Reporter: TEJ RATHI <trathi>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: abishop, adam.kaplan, adudiak, agarcial, agerstmayr, akashem, akostadi, alcohan, alitke, amackenz, amasferr, amctagga, amurdaca, anjoseph, anpicker, aoconnor, aos-bugs, aos-network-edge-staff, aos-odin-bot, aos-team-ota, aputtur, asm, aveerama, bbaude, bbennett, bcl, bcoca, bdettelb, bkundu, bmontgom, bniver, bodavis, brking, bthurber, cbartlet, cdaley, chazlett, chousekn, cmarinea, cmeyers, crizzo, dagray, davidn, dbenoit, debarshir, deparker, dfreiber, dhanak, dholler, dmayorov, doconnor, dornelas, dperaza, drow, dsimansk, dwalsh, dwd, dwest, dwhatley, dymurray, eduardo.ramalho, eglynn, emachado, eparis, fdeutsch, fjansen, flucifre, gblomqui, gkurz, gmeno, gparvin, grafana-maint, gsuckevi, haoli, hhorak, hkataria, ibolton, ijolliff, jacding, jaharrin, jajackso, jburrell, jcajka, jcammara, jcantril, jchui, jeder, jerzhang, jhadvig, jhardy, jhrozek, jitsingh, jjoyce, jligon, jlledo, jmatthew, jmencak, jmitchel, jmontleo, jneedle, jnovy, jobarker, joelsmith, jokerman, jortel, jorton, jpadman, jprabhak, jramanat, jschluet, jshaughn, jwendell, jwon, kegrant, kingland, koliveir, kshier, kverlaen, lball, lbragsta, lchilton, lemenkov, lhh, lmadsen, lmeyer, lsm5, lsvaty, mabashia, manissin, maszulik, matzew, mbenjamin, mburns, mfojtik, mgarciac, mhackett, mheon, mkudlej, mmakovy, mnewsome, mnovotny, mrajanna, mrunge, mrussell, muagarwa, mwringe, nalin, nathans, njean, nobody, notting, nparekh, nstielau, obulatov, ocp-storage-bot, ocs-bugs, omaciel, openshift-release-oversight, opohorel, oramraz, osapryki, osbuilders, oskutka, owatkins, pahickey, pakotvan, pbraun, pegoncal, pehunt, pgaikwad, pgrist, phoracek, pknezevi, ploffay, pthomas, rcernich, relrod, rhaigner, rhcos-sst, rhcos-triage, rhos-maint, rhuss, rjohnson, rpetrell, rphillips, sanchezl, sausingh, scorneli, sdoran, sejug, sfeifer, sgott, shvarugh, simaishi, sipoyare, skontopo, slaznick, slucidi, smcdonal, smullick, sostapov, spandura, spasquie, sponnaga, spower, sseago, stcannon, stirabos, surbania, teagle, team-winc-bot, tfister, thason, thavo, tjochec, tkuratom, tnielsen, tsedovic, tstellar, tsweeney, twalsh, umohnani, vereddy, vimartin, vkumar, wenshen, whayutin, wtam, xiyuan, xxia, yguenane, ytale
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: go 1.18.3, go 1.17.11 Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the crypto/tls golang package. When session tickets are generated by crypto/tls, it is missing the ticket expiration. This issue may allow an attacker to observe the TLS handshakes to correlate successive connections during session resumption.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2023-05-16 17:41:40 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2102700, 2102701, 2102702, 2102704, 2096696, 2096697, 2096698, 2096699, 2096700, 2096701, 2096702, 2096704, 2096705, 2096706, 2096707, 2096708, 2096709, 2096710, 2096711, 2096712, 2096713, 2096714, 2096715, 2096716, 2096717, 2096718, 2096719, 2096720, 2096721, 2096722, 2096723, 2096724, 2096725, 2096726, 2096727, 2096728, 2096729, 2096730, 2096731, 2096732, 2096733, 2096734, 2096735, 2096736, 2096737, 2096738, 2096739, 2096740, 2096741, 2096742, 2096743, 2096744, 2096745, 2096746, 2096747, 2096748, 2096749, 2096750, 2096751, 2096752, 2096753, 2096754, 2096755, 2096756, 2096757, 2096759, 2096760, 2096761, 2096762, 2096763, 2096764, 2096765, 2096766, 2096767, 2096768, 2096769, 2096770, 2096771, 2096772, 2096773, 2096774, 2096775, 2102703, 2102958, 2102959, 2102963, 2102964, 2102965, 2102966, 2102967, 2102968, 2102969, 2102970, 2102971, 2102972, 2102973, 2102974, 2102975, 2102976, 2102977, 2102978, 2102979, 2102980, 2102981, 2102982, 2102983, 2102984, 2102985, 2102986, 2102987, 2102988, 2102989, 2102990, 2102991, 2102992, 2102993, 2102994, 2102995, 2102996, 2102997, 2103001, 2103002, 2103003, 2103255, 2108767, 2108768, 2108769, 2108770, 2108771, 2108772, 2108773, 2108774, 2108775, 2108776, 2108777, 2108778, 2108779, 2108780, 2108781, 2108782, 2108783, 2108784, 2108785, 2108786, 2108787, 2108788, 2108789, 2108790, 2108791, 2108792, 2108793, 2108794, 2108795, 2108796, 2108797, 2108798, 2108799, 2108800, 2108801, 2108802, 2108806, 2108807, 2108808, 2108809, 2108810, 2108811, 2108812, 2108813, 2108814, 2108815, 2108816, 2108817, 2108819, 2108820, 2108821, 2108822, 2108823, 2108824, 2108825, 2108826, 2108827, 2108828, 2108829, 2108831, 2108832, 2108833, 2108834, 2108835, 2108836, 2108837, 2108838, 2108839, 2108840, 2108841, 2108842, 2108843, 2108844, 2108845, 2108846, 2108847, 2108848, 2108849, 2108850, 2108851, 2108852, 2109278, 2109279, 2109306, 2109307, 2109308, 2168805    
Bug Blocks: 2092875    

Description TEJ RATHI 2022-06-02 09:22:04 UTC 
We have just released Go versions 1.18.3 and 1.17.11, minor point releases.

* crypto/tls: session tickets lack random ticket_age_add

Session tickets generated by crypto/tls did not contain a randomly generated ticket_age_add. This allows an attacker that can observe TLS handshakes to correlate successive connections by comparing ticket ages during session resumption.

References:
https://go.dev/issue/52814
https://groups.google.com/g/golang-announce/c/TzIC9-t8Ytg

Upstream Commits:
Master : https://github.com/golang/go/commit/fe4de36198794c447fbd9d7cc2d7199a506c76a5
Branch.go1.17 : https://github.com/golang/go/commit/c15a8e2dbb5ac376a6ed890735341b812d6b965c
Branch.go1.18 : https://github.com/golang/go/commit/c838098c327a1b6d63446f4722e943b02d235d78
Comment 7 TEJ RATHI 2022-07-01 06:47:45 UTC 
Created golang tracking bugs for this issue:

Affects: epel-all [bug 2102959]
Affects: fedora-all [bug 2102958]
Comment 10 Sage McTaggart 2022-07-01 20:05:31 UTC 
Created golang tracking bugs for this issue:

Affects: fedora-all [bug 2103255]
Comment 23 errata-xmlrpc 2022-08-10 11:36:49 UTC 
This issue has been addressed in the following products:

  Openshift Serverless 1 on RHEL 8

Via RHSA-2022:6042 https://access.redhat.com/errata/RHSA-2022:6042
Comment 24 errata-xmlrpc 2022-08-10 13:15:45 UTC 
This issue has been addressed in the following products:

  Openshift Serveless 1.24

Via RHSA-2022:6040 https://access.redhat.com/errata/RHSA-2022:6040
Comment 36 errata-xmlrpc 2022-08-23 14:44:33 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.11

Via RHSA-2022:6102 https://access.redhat.com/errata/RHSA-2022:6102
Comment 37 errata-xmlrpc 2022-08-23 15:07:55 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.11

Via RHSA-2022:6103 https://access.redhat.com/errata/RHSA-2022:6103
Comment 38 errata-xmlrpc 2022-08-31 16:56:22 UTC 
This issue has been addressed in the following products:

  OpenShift Service Mesh 2.1

Via RHSA-2022:6277 https://access.redhat.com/errata/RHSA-2022:6277
Comment 39 errata-xmlrpc 2022-09-01 01:24:58 UTC 
This issue has been addressed in the following products:

  OADP-1.1-RHEL-8

Via RHSA-2022:6290 https://access.redhat.com/errata/RHSA-2022:6290
Comment 40 errata-xmlrpc 2022-09-01 05:40:46 UTC 
This issue has been addressed in the following products:

  OSSO-1.1-RHEL-8

Via RHSA-2022:6152 https://access.redhat.com/errata/RHSA-2022:6152
Comment 41 errata-xmlrpc 2022-09-06 12:58:18 UTC 
This issue has been addressed in the following products:

  Red Hat Advanced Cluster Management for Kubernetes 2.6 for RHEL 8

Via RHSA-2022:6347 https://access.redhat.com/errata/RHSA-2022:6347
Comment 42 errata-xmlrpc 2022-09-06 13:02:24 UTC 
This issue has been addressed in the following products:

  Red Hat Advanced Cluster Management for Kubernetes 2.6 for RHEL 8

Via RHSA-2022:6346 https://access.redhat.com/errata/RHSA-2022:6346
Comment 43 errata-xmlrpc 2022-09-06 13:42:46 UTC 
This issue has been addressed in the following products:

  Red Hat Advanced Cluster Management for Kubernetes 2.5 for RHEL 8

Via RHSA-2022:6348 https://access.redhat.com/errata/RHSA-2022:6348
Comment 44 errata-xmlrpc 2022-09-06 14:33:17 UTC 
This issue has been addressed in the following products:

  multicluster engine for Kubernetes 2.1 for RHEL 8

Via RHSA-2022:6345 https://access.redhat.com/errata/RHSA-2022:6345
Comment 45 errata-xmlrpc 2022-09-06 22:29:21 UTC 
This issue has been addressed in the following products:

  Red Hat Advanced Cluster Management for Kubernetes 2.6 for RHEL 8

Via RHSA-2022:6370 https://access.redhat.com/errata/RHSA-2022:6370
Comment 46 errata-xmlrpc 2022-09-13 02:09:52 UTC 
This issue has been addressed in the following products:

  OADP-1.0-RHEL-8

Via RHSA-2022:6430 https://access.redhat.com/errata/RHSA-2022:6430
Comment 47 errata-xmlrpc 2022-09-20 16:20:42 UTC 
This issue has been addressed in the following products:

  Ironic content for Red Hat OpenShift Container Platform 4.11
  Red Hat OpenShift Container Platform 4.11

Via RHSA-2022:6535 https://access.redhat.com/errata/RHSA-2022:6535
Comment 49 errata-xmlrpc 2022-09-26 14:52:13 UTC 
This issue has been addressed in the following products:

  Red Hat Advanced Cluster Management for Kubernetes 2.4 for RHEL 8

Via RHSA-2022:6696 https://access.redhat.com/errata/RHSA-2022:6696
Comment 57 errata-xmlrpc 2022-12-01 21:10:06 UTC 
This issue has been addressed in the following products:

  RHEL-8-CNV-4.11

Via RHSA-2022:8750 https://access.redhat.com/errata/RHSA-2022:8750
Comment 58 errata-xmlrpc 2022-12-15 01:57:37 UTC 
This issue has been addressed in the following products:

  Red Hat Migration Toolkit for Containers 1.7

Via RHSA-2022:9047 https://access.redhat.com/errata/RHSA-2022:9047
Comment 74 errata-xmlrpc 2023-01-24 12:48:58 UTC 
This issue has been addressed in the following products:

  RHEL-8-CNV-4.12
  RHEL-7-CNV-4.12

Via RHSA-2023:0407 https://access.redhat.com/errata/RHSA-2023:0407
Comment 75 errata-xmlrpc 2023-01-24 13:34:42 UTC 
This issue has been addressed in the following products:

  RHEL-8-CNV-4.12

Via RHSA-2023:0408 https://access.redhat.com/errata/RHSA-2023:0408
Comment 83 errata-xmlrpc 2023-02-07 18:36:52 UTC 
This issue has been addressed in the following products:

  Red Hat Advanced Cluster Management for Kubernetes 2.7 for RHEL 8

Via RHSA-2023:0630 https://access.redhat.com/errata/RHSA-2023:0630
Comment 85 errata-xmlrpc 2023-03-15 19:55:19 UTC 
This issue has been addressed in the following products:

  Red Hat OpenStack Platform 16.1
  Red Hat OpenStack Platform 16.2

Via RHSA-2023:1275 https://access.redhat.com/errata/RHSA-2023:1275
Comment 87 errata-xmlrpc 2023-03-30 00:43:05 UTC 
This issue has been addressed in the following products:

  STF-1.5-RHEL-8

Via RHSA-2023:1529 https://access.redhat.com/errata/RHSA-2023:1529
Comment 89 errata-xmlrpc 2023-05-09 07:22:29 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2023:2253 https://access.redhat.com/errata/RHSA-2023:2253
Comment 90 errata-xmlrpc 2023-05-09 07:24:33 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2023:2282 https://access.redhat.com/errata/RHSA-2023:2282
Comment 91 errata-xmlrpc 2023-05-09 07:24:51 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2023:2283 https://access.redhat.com/errata/RHSA-2023:2283
Comment 92 errata-xmlrpc 2023-05-09 07:36:03 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2023:2367 https://access.redhat.com/errata/RHSA-2023:2367
Comment 94 errata-xmlrpc 2023-05-16 08:08:24 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2023:2758 https://access.redhat.com/errata/RHSA-2023:2758
Comment 95 Product Security DevOps Team 2023-05-16 17:41:30 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2022-30629
Comment 96 errata-xmlrpc 2023-06-15 16:00:08 UTC 
This issue has been addressed in the following products:

  Red Hat Ceph Storage 6.1

Via RHSA-2023:3642 https://access.redhat.com/errata/RHSA-2023:3642
Comment 97 errata-xmlrpc 2023-07-06 02:44:27 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.11

Via RHSA-2023:3914 https://access.redhat.com/errata/RHSA-2023:3914
Comment 100 errata-xmlrpc 2023-08-07 00:27:38 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.11

Via RHSA-2023:4488 https://access.redhat.com/errata/RHSA-2023:4488