Bug 1897635 (CVE-2020-28362) - CVE-2020-28362 golang: math/big: panic during recursive division of very large numbers
Summary: CVE-2020-28362 golang: math/big: panic during recursive division of very larg...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2020-28362
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1898659 1898660 1899185 1902916 1902917 1902918 1902919 1902921 1902923 1902926 1902928 1905509 1905510 1905511 1905512 1905513 1905514 1905515 1905516 1905517 1905518 1905520 1905521 1905522 1905523 1905524 1905525 1905526 1905527 1905528 1905529 1905530 1905531 1905533 1905534 1905535 1905536 1905537 1905538 1905539 1905540 1906018 1906019 1914054 1916953 1897636 1897637 1898820 1898829 1898835 1898955 1902915 1902920 1902922 1902924 1902927 1906015 1906016 1906017 1906020 1913515 1914055 1914058 1914059 1916004 1916187
Blocks: 1897651
TreeView+ depends on / blocked
 
Reported: 2020-11-13 17:02 UTC by Guilherme de Almeida Suckevicz
Modified: 2021-02-24 15:10 UTC (History)
81 users (show)

See Also:
Fixed In Version: go 1.15.5, go 1.14.12
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the math/big package of Go's standard library that allows for denial of service. Applications written in Go that use math/big via cryptographic packages including crypto/rsa and crypto/x509 are vulnerable and can potentially be caused to panic via a crafted certificate chain.
Clone Of:
Environment:
Last Closed: 2020-12-15 22:19:14 UTC


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2020:5333 0 None None None 2020-12-03 11:19:27 UTC
Red Hat Product Errata RHSA-2020:5493 0 None None None 2020-12-15 17:06:29 UTC
Red Hat Product Errata RHSA-2020:5633 0 None None None 2021-02-24 15:10:28 UTC
Red Hat Product Errata RHSA-2021:0037 0 None None None 2021-01-18 17:57:15 UTC
Red Hat Product Errata RHSA-2021:0038 0 None None None 2021-01-18 16:03:21 UTC
Red Hat Product Errata RHSA-2021:0039 0 None None None 2021-01-18 17:34:16 UTC
Red Hat Product Errata RHSA-2021:0145 0 None None None 2021-01-14 13:38:57 UTC
Red Hat Product Errata RHSA-2021:0146 0 None None None 2021-01-14 16:30:46 UTC
Red Hat Product Errata RHSA-2021:0436 0 None None None 2021-02-16 13:16:35 UTC
Red Hat Product Errata RHSA-2021:0568 0 None None None 2021-02-16 09:18:54 UTC

Description Guilherme de Almeida Suckevicz 2020-11-13 17:02:38 UTC
A number of math/big.Int methods (Div, Exp, DivMod, Quo, Rem, QuoRem, Mod, ModInverse, ModSqrt, Jacobi, and GCD) can panic when provided crafted large inputs. For the panic to happen, the divisor or modulo argument must be larger than 3168 bits (on 32-bit architectures) or 6336 bits (on 64-bit architectures). Multiple math/big.Rat methods are similarly affected.

References:
https://groups.google.com/g/golang-announce/c/NpBGTTmKzpM/m/fLguyiM2CAAJ
https://github.com/golang/go/issues/42552

Comment 1 Guilherme de Almeida Suckevicz 2020-11-13 17:03:16 UTC
Created golang tracking bugs for this issue:

Affects: epel-all [bug 1897637]
Affects: fedora-all [bug 1897636]

Comment 3 Przemyslaw Roguski 2020-11-19 16:12:48 UTC
Upstream commit with fix:
https://github.com/golang/go/commit/1e1fa5903b760c6714ba17e50bf850b01f49135c

Comment 10 Przemyslaw Roguski 2020-12-01 15:22:24 UTC
External References:

https://groups.google.com/g/golang-announce/c/NpBGTTmKzpM/m/fLguyiM2CAAJ

Comment 12 errata-xmlrpc 2020-12-03 11:19:46 UTC
This issue has been addressed in the following products:

  Red Hat Developer Tools

Via RHSA-2020:5333 https://access.redhat.com/errata/RHSA-2020:5333

Comment 23 amctagga 2020-12-15 15:13:48 UTC
Statement:

OpenShift ServiceMesh (OSSM) 1.1 is Out Of Support Scope (OOSS) for Moderate and Low impact vulnerabilities because it is now in the Maintenance Phase of the support.
Openshift Virtualization 1 (formerly Container Native Virtualization) is Out Of Support Scope (OOSS) for Moderate and Low impact vulnerabilities.

Red Hat Gluster Storage 3 shipped multi-cloud-object-gateway-cli and noobaa-operator container as a technical preview and is not currently planned to be addressed in future updates.

OpenShift Container Platform (OCP) 4.5 and earlier are built with Go versions earlier than 1.14, which are not affected by this vulnerability. OCP 4.6 is built with Go 1.15 and is affected.

Comment 24 errata-xmlrpc 2020-12-15 17:06:20 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2020:5493 https://access.redhat.com/errata/RHSA-2020:5493

Comment 25 Product Security DevOps Team 2020-12-15 22:19:14 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-28362

Comment 26 errata-xmlrpc 2021-01-14 13:38:53 UTC
This issue has been addressed in the following products:

  Openshift Serverless 1 on RHEL 8

Via RHSA-2021:0145 https://access.redhat.com/errata/RHSA-2021:0145

Comment 27 errata-xmlrpc 2021-01-14 16:31:20 UTC
This issue has been addressed in the following products:

  Openshift Serveless 1.12

Via RHSA-2021:0146 https://access.redhat.com/errata/RHSA-2021:0146

Comment 28 errata-xmlrpc 2021-01-18 16:03:56 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.6

Via RHSA-2021:0038 https://access.redhat.com/errata/RHSA-2021:0038

Comment 29 errata-xmlrpc 2021-01-18 17:34:13 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.6

Via RHSA-2021:0039 https://access.redhat.com/errata/RHSA-2021:0039

Comment 30 errata-xmlrpc 2021-01-18 17:57:09 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.6

Via RHSA-2021:0037 https://access.redhat.com/errata/RHSA-2021:0037

Comment 31 errata-xmlrpc 2021-02-16 09:18:42 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.6

Via RHSA-2021:0568 https://access.redhat.com/errata/RHSA-2021:0568

Comment 32 errata-xmlrpc 2021-02-16 13:16:29 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.6

Via RHSA-2021:0436 https://access.redhat.com/errata/RHSA-2021:0436

Comment 35 errata-xmlrpc 2021-02-24 15:10:22 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.7

Via RHSA-2020:5633 https://access.redhat.com/errata/RHSA-2020:5633


Note You need to log in before you can comment on or make changes to this bug.