Bug 2178492 (CVE-2022-41724)

Summary: CVE-2022-41724 golang: crypto/tls: large handshake records may cause panics
Product: [Other] Security Response Reporter: Avinash Hanwate <ahanwate>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: aazores, abenaiss, abishop, adudiak, amackenz, amasferr, amctagga, ansmith, aoconnor, asm, ataylor, aveerama, bbaude, bbuckingham, bcl, bcourt, bdettelb, bniver, bodavis, chazlett, cwelton, davidn, dbenoit, debarshir, desktop-qa-list, dfreiber, dkenigsb, dperaza, dshah, dsimansk, dwalsh, dymurray, eaguilar, ebaron, eglynn, ehelms, ellin, emachado, epacific, fdeutsch, flucifre, gmeno, gparvin, grafana-maint, ibolton, jaharrin, jburrell, jcammara, jcantril, jchui, jeder, jhardy, jjoyce, jkang, jkoehler, jkurik, jligon, jmatthew, jmontleo, jneedle, jnovy, jobarker, jpallich, jross, jscholz, jsherril, jwendell, kshier, lball, lhh, lmadsen, lsm5, lzap, mabashia, matzew, mbenjamin, mboddu, mburns, mcressma, mgarciac, mhackett, mheon, mhulan, mkudlej, mmagr, mnewsome, mrunge, mwringe, myarboro, nathans, nbecker, nboldt, njean, nmoumoul, nobody, ocs-bugs, opohorel, orabin, oramraz, osapryki, osbuilders, ovanders, owatkins, pahickey, pcreech, pehunt, periklis, pjindal, pthomas, rcernich, rchan, rgarg, rhcos-sst, rhos-maint, rhuss, rjohnson, rkieley, rogbas, saroy, scorneli, scox, sfroberg, sgott, shbose, simaishi, sipoyare, skontopo, slucidi, smcdonal, smullick, sostapov, spower, sseago, stcannon, swoodman, teagle, tfister, tjochec, tstellar, tsweeney, ubhargav, umohnani, vereddy, vkumar, whayutin, yguenane, zsadeh
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: golang 1.20.1, golang 1.19.6 Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in Golang Go, where it is vulnerable to a denial of service caused when processing large TLS handshake records. By sending specially-crafted TLS handshake records, a remote, authenticated attacker can cause a denial of service condition.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2023-06-07 10:17:51 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2179247, 2179249, 2179254, 2179256, 2179258, 2179259, 2179262, 2179943, 2179944, 2179945, 2179946, 2179947, 2179948, 2179949, 2179950, 2179951, 2179952, 2179958, 2179960, 2179966, 2179967, 2179968, 2179971, 2179972, 2179973, 2208150, 2208151, 2178495, 2178496, 2179248, 2179250, 2179251, 2179252, 2179253, 2179255, 2179257, 2179261, 2179925, 2179926, 2179927, 2179935, 2179936, 2179937, 2179938, 2179939, 2179953, 2179954, 2179955, 2179956, 2179957, 2179959, 2179961, 2179962, 2179963, 2179964, 2179965, 2179969, 2179970    
Bug Blocks: 2169910    

Description Avinash Hanwate 2023-03-15 05:14:28 UTC 
Large handshake records may cause panics in crypto/tls. Both clients and servers may send large TLS handshake records which cause servers and clients, respectively, to panic when attempting to construct responses. This affects all TLS 1.3 clients, TLS 1.2 clients which explicitly enable session resumption (by setting Config.ClientSessionCache to a non-nil value), and TLS 1.3 servers which request client certificates (by setting Config.ClientAuth >= RequestClientCert).

https://groups.google.com/g/golang-announce/c/V0aBFqaFs_E
https://pkg.go.dev/vuln/GO-2023-1570
https://go.dev/cl/468125
https://go.dev/issue/58001
Comment 1 Avinash Hanwate 2023-03-15 05:35:13 UTC 
Created golang tracking bugs for this issue:

Affects: epel-all [bug 2178495]
Affects: fedora-all [bug 2178496]
Comment 14 errata-xmlrpc 2023-04-05 01:15:04 UTC 
This issue has been addressed in the following products:

  OADP-1.1-RHEL-8

Via RHSA-2023:1639 https://access.redhat.com/errata/RHSA-2023:1639
Comment 17 errata-xmlrpc 2023-04-18 01:01:37 UTC 
This issue has been addressed in the following products:

  NETWORK-OBSERVABILITY-1.2.0-RHEL-9

Via RHSA-2023:1817 https://access.redhat.com/errata/RHSA-2023:1817
Comment 20 errata-xmlrpc 2023-05-04 01:50:10 UTC 
This issue has been addressed in the following products:

  Red Hat Migration Toolkit for Containers 1.7

Via RHSA-2023:2107 https://access.redhat.com/errata/RHSA-2023:2107
Comment 24 errata-xmlrpc 2023-05-16 09:59:25 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2023:3083 https://access.redhat.com/errata/RHSA-2023:3083
Comment 25 errata-xmlrpc 2023-05-17 22:31:37 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.13

Via RHSA-2023:1326 https://access.redhat.com/errata/RHSA-2023:1326
Comment 26 errata-xmlrpc 2023-05-17 22:54:00 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.13

Via RHSA-2023:1325 https://access.redhat.com/errata/RHSA-2023:1325
Comment 28 errata-xmlrpc 2023-05-18 11:34:12 UTC 
This issue has been addressed in the following products:

  Cryostat 2 on RHEL 8

Via RHSA-2023:3167 https://access.redhat.com/errata/RHSA-2023:3167
Comment 29 errata-xmlrpc 2023-05-18 14:28:07 UTC 
This issue has been addressed in the following products:

  OSSO-1.1-RHEL-8

Via RHSA-2023:0584 https://access.redhat.com/errata/RHSA-2023:0584
Comment 30 errata-xmlrpc 2023-05-30 20:24:52 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.13

Via RHSA-2023:3303 https://access.redhat.com/errata/RHSA-2023:3303
Comment 32 errata-xmlrpc 2023-06-05 14:08:04 UTC 
This issue has been addressed in the following products:

  Red Hat OpenStack Platform 16.2

Via RHSA-2023:3445 https://access.redhat.com/errata/RHSA-2023:3445
Comment 33 errata-xmlrpc 2023-06-05 16:44:18 UTC 
This issue has been addressed in the following products:

  Openshift Serverless 1 on RHEL 8

Via RHSA-2023:3450 https://access.redhat.com/errata/RHSA-2023:3450
Comment 34 errata-xmlrpc 2023-06-05 23:42:47 UTC 
This issue has been addressed in the following products:

  RHOSS-1.29-RHEL-8

Via RHSA-2023:3455 https://access.redhat.com/errata/RHSA-2023:3455
Comment 35 errata-xmlrpc 2023-06-07 02:02:26 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.13

Via RHSA-2023:3366 https://access.redhat.com/errata/RHSA-2023:3366
Comment 36 Product Security DevOps Team 2023-06-07 10:17:43 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2022-41724
Comment 37 errata-xmlrpc 2023-06-22 19:52:25 UTC 
This issue has been addressed in the following products:

  RHODF-4.13-RHEL-9

Via RHSA-2023:3742 https://access.redhat.com/errata/RHSA-2023:3742
Comment 38 errata-xmlrpc 2023-06-23 04:39:38 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.13

Via RHSA-2023:3612 https://access.redhat.com/errata/RHSA-2023:3612
Comment 39 errata-xmlrpc 2023-07-10 08:51:18 UTC 
This issue has been addressed in the following products:

  Service Interconnect 1 for RHEL 8
  Service Interconnect 1 for RHEL 9

Via RHSA-2023:4003 https://access.redhat.com/errata/RHSA-2023:4003
Comment 41 errata-xmlrpc 2023-08-03 14:12:45 UTC 
This issue has been addressed in the following products:

  Red Hat Ansible Automation Platform 2.3 for RHEL 8

Via RHSA-2023:4470 https://access.redhat.com/errata/RHSA-2023:4470
Comment 42 errata-xmlrpc 2023-08-08 00:36:20 UTC 
This issue has been addressed in the following products:

  CERT-MANAGER-1.10-RHEL-9

Via RHSA-2023:4335 https://access.redhat.com/errata/RHSA-2023:4335
Comment 43 errata-xmlrpc 2023-08-14 01:02:37 UTC 
This issue has been addressed in the following products:

  MTA-6.2-RHEL-9
  MTA-6.2-RHEL-8

Via RHSA-2023:4627 https://access.redhat.com/errata/RHSA-2023:4627