On 32-bit architectures, a malformed input to crypto/x509 or the ASN.1 parsing functions of golang.org/x/crypto/cryptobyte can lead to a panic.
The malformed certificate can be delivered via a crypto/tls connection to a client, or to a server that accepts client certificates. net/http clients can be made to crash by an HTTPS server, while net/http servers that accept client certificates will recover the panic and are unaffected.
Created golang tracking bugs for this issue:
Affects: epel-all [bug 1808042]
Affects: fedora-all [bug 1808044]
The current version of ServiceMesh only supports x86_64 architectures and hence is not affected by this flaw.
Below products are only supported on 64bit architectures and are therefore not affected by this flaw:
* OpenShift Container Platform
* OpenShift Service Mesh
* Red Hat Ceph Storage
* Red Hat Gluster Storage
* Container-native Virtualization
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):