Bug 2228743 (CVE-2023-29409)
Summary: | CVE-2023-29409 golang: crypto/tls: slow verification of certificate chains containing large RSA keys | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Avinash Hanwate <ahanwate> |
Component: | vulnerability | Assignee: | Sayan Biswas <sabiswas> |
Status: | NEW --- | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | unspecified | CC: | aazores, abishop, adudiak, aileenc, amasferr, amctagga, ansmith, aoconnor, apjagtap, asatyam, asm, aveerama, bbaude, bbuckingham, bcl, bcourt, bdettelb, bniver, bodavis, chazlett, davidn, dbenoit, dcadzow, debarshir, desktop-qa-list, dfreiber, diagrawa, dkenigsb, dperaza, dsimansk, dwalsh, dymurray, eaguilar, ebaron, eglynn, ehelms, ellin, emachado, epacific, eric.wittmann, fdeutsch, flucifre, gmeno, gparvin, ibolton, jaharrin, janstey, jburrell, jcammara, jcantril, jchui, jeder, jhardy, jjoyce, jkang, jkoehler, jkurik, jligon, jmatthew, jmontleo, jneedle, jnovy, jobarker, jpallich, jschluet, jsherril, jwendell, kshier, lball, lhh, lmadsen, lsm5, lzap, mabashia, matzew, mbenjamin, mboddu, mburns, mcressma, mgarciac, mhackett, mheon, mhulan, mkudlej, mmagr, mnewsome, mrunge, mwringe, myarboro, nathans, nboldt, njean, nmontero, nmoumoul, nobody, opohorel, orabin, oramraz, osapryki, osbuilders, owatkins, pahickey, pantinor, pcpbot, pcreech, peholase, pehunt, periklis, pgrist, pjindal, pthomas, rcernich, rchan, rgarg, rhcos-sst, rhos-maint, rhuss, rjohnson, rogbas, saroy, scorneli, sfroberg, sgott, shbose, simaishi, sipoyare, skontopo, slucidi, smcdonal, smullick, sostapov, sseago, stcannon, teagle, tfister, tjochec, tstellar, tsweeney, twalsh, ubhargav, vereddy, vkumar, whayutin, yguenane, zsadeh |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Go 1.20.7, Go 1.19.12 | Doc Type: | If docs needed, set a value |
Doc Text: |
A denial of service vulnerability was found in the Golang Go package caused by an uncontrolled resource consumption flaw. By persuading a victim to use a specially crafted certificate with large RSA keys, a remote attacker can cause a client/server to expend significant CPU time verifying signatures, resulting in a denial of service condition.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | Type: | --- | |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 2228830, 2228829, 2228831, 2228832, 2228833, 2228834, 2228835, 2228836, 2228837, 2228838, 2228839, 2228840, 2228842, 2228843, 2228844, 2229061, 2229062, 2229063, 2229064, 2229065, 2229066, 2229067, 2229068, 2229069, 2229070, 2229071, 2229072, 2229073, 2229074, 2229075, 2229076, 2229077, 2229078, 2229079, 2229080, 2229081, 2229082, 2229083, 2229084, 2229085, 2229086, 2229087, 2229088, 2229089, 2229090, 2229091, 2229092, 2229093, 2229094, 2229620, 2229621, 2230278, 2238931, 2238932 | ||
Bug Blocks: | 2228694 |
Description
Avinash Hanwate
2023-08-03 07:10:56 UTC
Created golang tracking bugs for this issue: Affects: epel-all [bug 2229620] Affects: fedora-all [bug 2229621] Were the bugs for this CVE created correctly? I got bugs RHEL 8 bugs for toolbox for both the rolling (bug 2229077) and 4.0 (bug 2229071) module streams, but none for RHEL 9. In comparison, I found RHEL 9 bugs for podman (bug 2229091) and golang (bug 2229065). So, it seems like RHEL 9 is affected, but then why is there no RHEL 9 toolbox bug? There's no difference in toolbox across RHEL 8 and 9 that could be relevant to this CVE. I have seen this happen a few times recently: https://bugzilla.redhat.com/show_bug.cgi?id=2196026#c33 https://bugzilla.redhat.com/show_bug.cgi?id=2196027#c45 ... and it makes me wonder if there's something wrong with the process that's used to file these bugs. In reply to comment #7: > Were the bugs for this CVE created correctly? > > I got bugs RHEL 8 bugs for toolbox for both the rolling (bug 2229077) and > 4.0 (bug 2229071) module streams, but none for RHEL 9. In comparison, I > found RHEL 9 bugs for podman (bug 2229091) and golang (bug 2229065). > > So, it seems like RHEL 9 is affected, but then why is there no RHEL 9 > toolbox bug? There's no difference in toolbox across RHEL 8 and 9 that > could be relevant to this CVE. > > I have seen this happen a few times recently: > https://bugzilla.redhat.com/show_bug.cgi?id=2196026#c33 > https://bugzilla.redhat.com/show_bug.cgi?id=2196027#c45 > > ... and it makes me wonder if there's something wrong with the process > that's used to file these bugs. Hi @debarshi, we are working on fixing this issue. I have filed a tracker for rhel-9/toolbox. (In reply to Avinash Hanwate from comment #9) > ... we are working on fixing this issue. I have filed a tracker > for rhel-9/toolbox. That's fantastic, thanks! This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2023:5738 https://access.redhat.com/errata/RHSA-2023:5738 This issue has been addressed in the following products: Red Hat Ansible Automation Platform 2.4 for RHEL 8 Red Hat Ansible Automation Platform 2.4 for RHEL 9 Via RHSA-2023:5805 https://access.redhat.com/errata/RHSA-2023:5805 This issue has been addressed in the following products: Red Hat OpenStack Platform 16.2 Via RHSA-2023:5935 https://access.redhat.com/errata/RHSA-2023:5935 This issue has been addressed in the following products: RHOL-5.6-RHEL-8 Via RHSA-2023:5541 https://access.redhat.com/errata/RHSA-2023:5541 This issue has been addressed in the following products: RHOL-5.7-RHEL-8 Via RHSA-2023:5530 https://access.redhat.com/errata/RHSA-2023:5530 This issue has been addressed in the following products: Red Hat OpenStack Platform 17.1 Via RHSA-2023:5969 https://access.redhat.com/errata/RHSA-2023:5969 This issue has been addressed in the following products: Red Hat OpenStack Platform 16.2 Via RHSA-2023:5965 https://access.redhat.com/errata/RHSA-2023:5965 This issue has been addressed in the following products: Red Hat OpenStack Platform 17.1 Via RHSA-2023:5971 https://access.redhat.com/errata/RHSA-2023:5971 This issue has been addressed in the following products: Red Hat OpenStack Platform 16.2 Via RHSA-2023:5964 https://access.redhat.com/errata/RHSA-2023:5964 This issue has been addressed in the following products: NETWORK-OBSERVABILITY-1.4.0-RHEL-9 Via RHSA-2023:5974 https://access.redhat.com/errata/RHSA-2023:5974 This issue has been addressed in the following products: STF-1.5-RHEL-8 Via RHSA-2023:5976 https://access.redhat.com/errata/RHSA-2023:5976 This issue has been addressed in the following products: Cryostat 2 on RHEL 8 Via RHSA-2023:6031 https://access.redhat.com/errata/RHSA-2023:6031 This issue has been addressed in the following products: Red Hat Openshift distributed tracing 2.9 Via RHSA-2023:6085 https://access.redhat.com/errata/RHSA-2023:6085 This issue has been addressed in the following products: OADP-1.1-RHEL-8 Via RHSA-2023:6115 https://access.redhat.com/errata/RHSA-2023:6115 This issue has been addressed in the following products: RODOO-1.0-RHEL-8 Via RHSA-2023:5947 https://access.redhat.com/errata/RHSA-2023:5947 This issue has been addressed in the following products: OSSO-1.1-RHEL-8 Via RHSA-2023:5933 https://access.redhat.com/errata/RHSA-2023:5933 This issue has been addressed in the following products: Red Hat Migration Toolkit for Containers 1.7 Via RHSA-2023:6161 https://access.redhat.com/errata/RHSA-2023:6161 This issue has been addressed in the following products: Red Hat OpenShift Serverless 1.30 Via RHSA-2023:6296 https://access.redhat.com/errata/RHSA-2023:6296 This issue has been addressed in the following products: Openshift Serverless 1 on RHEL 8 Via RHSA-2023:6298 https://access.redhat.com/errata/RHSA-2023:6298 This issue has been addressed in the following products: CERT-MANAGER-1.11-RHEL-9 Via RHSA-2023:6279 https://access.redhat.com/errata/RHSA-2023:6279 This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.14 Via RHSA-2023:6840 https://access.redhat.com/errata/RHSA-2023:6840 This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2023:7762 https://access.redhat.com/errata/RHSA-2023:7762 This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2023:7763 https://access.redhat.com/errata/RHSA-2023:7763 This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2023:7764 https://access.redhat.com/errata/RHSA-2023:7764 This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2023:7766 https://access.redhat.com/errata/RHSA-2023:7766 This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2023:7765 https://access.redhat.com/errata/RHSA-2023:7765 This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2024:0121 https://access.redhat.com/errata/RHSA-2024:0121 This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.14 Via RHSA-2024:0293 https://access.redhat.com/errata/RHSA-2024:0293 This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.14 Via RHSA-2024:0292 https://access.redhat.com/errata/RHSA-2024:0292 This issue has been addressed in the following products: MTA-6.2-RHEL-9 MTA-6.2-RHEL-8 Via RHSA-2024:1027 https://access.redhat.com/errata/RHSA-2024:1027 This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2024:2988 https://access.redhat.com/errata/RHSA-2024:2988 |