Bug 2092793 (CVE-2022-30629) - CVE-2022-30629 golang: crypto/tls: session tickets lack random ticket_age_add
Summary: CVE-2022-30629 golang: crypto/tls: session tickets lack random ticket_age_add
Keywords:
Status: NEW
Alias: CVE-2022-30629
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 2102700 2102701 2102702 2102703 2102704 2102978 2102979 2102980 2102986 2102989 2102994 2102995 2102996 2103255 2108767 2108796 2108802 2108816 2108817 2108819 2108821 2108830 2108831 2108832 2108833 2108845 2108846 2108848 2108849 2109308 2096696 2096697 2096698 2096699 2096700 2096701 2096702 2096704 2096705 2096706 2096707 2096708 2096709 2096710 2096711 2096712 2096713 2096714 2096715 2096716 2096717 2096718 2096719 2096720 2096721 2096722 2096723 2096724 2096725 2096726 2096727 2096728 2096729 2096730 2096731 2096732 2096733 2096734 2096735 2096736 2096737 2096738 2096739 2096740 2096741 2096742 2096743 2096744 2096745 2096746 2096747 2096748 2096749 2096750 2096751 2096752 2096753 2096754 2096755 2096756 2096757 2096759 2096760 2096761 2096762 2096763 2096764 2096765 2096766 2096767 2096768 2096769 2096770 2096771 2096772 2096773 2096774 2096775 2102958 2102959 2102963 2102964 2102965 2102966 2102967 2102968 2102969 2102970 2102971 2102972 2102973 2102974 2102975 2102976 2102977 2102981 2102982 2102983 2102984 2102985 2102987 2102988 2102990 2102991 2102992 2102993 2102997 2103001 2103002 2103003 2108768 2108769 2108770 2108771 2108772 2108773 2108774 2108775 2108776 2108777 2108778 2108779 2108780 2108781 2108782 2108783 2108784 2108785 2108786 2108787 2108788 2108789 2108790 2108791 2108792 2108793 2108794 2108795 2108797 2108798 2108799 2108800 2108801 2108806 2108807 2108808 2108809 2108810 2108811 2108812 2108813 2108814 2108815 2108820 2108822 2108823 2108824 2108825 2108826 2108827 2108828 2108829 2108834 2108835 2108836 2108837 2108838 2108839 2108840 2108841 2108842 2108843 2108844 2108847 2108850 2108851 2108852 2109278 2109279 2109306 2109307
Blocks: 2092875
TreeView+ depends on / blocked
 
Reported: 2022-06-02 09:22 UTC by TEJ RATHI
Modified: 2023-02-08 00:54 UTC (History)
176 users (show)

Fixed In Version: go 1.18.3, go 1.17.11
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the crypto/tls golang package. When session tickets are generated by crypto/tls, it is missing the ticket expiration. This issue may allow an attacker to observe the TLS handshakes to correlate successive connections during session resumption.
Clone Of:
Environment:
Last Closed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2022:6040 0 None None None 2022-08-10 13:15:55 UTC
Red Hat Product Errata RHSA-2022:6042 0 None None None 2022-08-10 11:36:58 UTC
Red Hat Product Errata RHSA-2022:6102 0 None None None 2022-08-23 14:44:43 UTC
Red Hat Product Errata RHSA-2022:6103 0 None None None 2022-08-23 15:08:04 UTC
Red Hat Product Errata RHSA-2022:6152 0 None None None 2022-09-01 05:40:53 UTC
Red Hat Product Errata RHSA-2022:6277 0 None None None 2022-08-31 16:56:32 UTC
Red Hat Product Errata RHSA-2022:6290 0 None None None 2022-09-01 01:25:08 UTC
Red Hat Product Errata RHSA-2022:6345 0 None None None 2022-09-06 14:33:24 UTC
Red Hat Product Errata RHSA-2022:6346 0 None None None 2022-09-06 13:02:34 UTC
Red Hat Product Errata RHSA-2022:6347 0 None None None 2022-09-06 12:58:25 UTC
Red Hat Product Errata RHSA-2022:6348 0 None None None 2022-09-06 13:42:55 UTC
Red Hat Product Errata RHSA-2022:6370 0 None None None 2022-09-06 22:29:31 UTC
Red Hat Product Errata RHSA-2022:6430 0 None None None 2022-09-13 02:10:00 UTC
Red Hat Product Errata RHSA-2022:6535 0 None None None 2022-09-20 16:20:49 UTC
Red Hat Product Errata RHSA-2022:6696 0 None None None 2022-09-26 14:52:23 UTC
Red Hat Product Errata RHSA-2022:8750 0 None None None 2022-12-01 21:10:12 UTC
Red Hat Product Errata RHSA-2022:9047 0 None None None 2022-12-15 01:57:45 UTC
Red Hat Product Errata RHSA-2023:0407 0 None None None 2023-01-24 12:49:07 UTC
Red Hat Product Errata RHSA-2023:0408 0 None None None 2023-01-24 13:34:52 UTC
Red Hat Product Errata RHSA-2023:0630 0 None None None 2023-02-07 18:37:00 UTC

Description TEJ RATHI 2022-06-02 09:22:04 UTC
We have just released Go versions 1.18.3 and 1.17.11, minor point releases.

* crypto/tls: session tickets lack random ticket_age_add

Session tickets generated by crypto/tls did not contain a randomly generated ticket_age_add. This allows an attacker that can observe TLS handshakes to correlate successive connections by comparing ticket ages during session resumption.

References:
https://go.dev/issue/52814
https://groups.google.com/g/golang-announce/c/TzIC9-t8Ytg

Upstream Commits:
Master : https://github.com/golang/go/commit/fe4de36198794c447fbd9d7cc2d7199a506c76a5
Branch.go1.17 : https://github.com/golang/go/commit/c15a8e2dbb5ac376a6ed890735341b812d6b965c
Branch.go1.18 : https://github.com/golang/go/commit/c838098c327a1b6d63446f4722e943b02d235d78

Comment 7 TEJ RATHI 2022-07-01 06:47:45 UTC
Created golang tracking bugs for this issue:

Affects: epel-all [bug 2102959]
Affects: fedora-all [bug 2102958]

Comment 10 Sage McTaggart 2022-07-01 20:05:31 UTC
Created golang tracking bugs for this issue:

Affects: fedora-all [bug 2103255]

Comment 23 errata-xmlrpc 2022-08-10 11:36:49 UTC
This issue has been addressed in the following products:

  Openshift Serverless 1 on RHEL 8

Via RHSA-2022:6042 https://access.redhat.com/errata/RHSA-2022:6042

Comment 24 errata-xmlrpc 2022-08-10 13:15:45 UTC
This issue has been addressed in the following products:

  Openshift Serveless 1.24

Via RHSA-2022:6040 https://access.redhat.com/errata/RHSA-2022:6040

Comment 36 errata-xmlrpc 2022-08-23 14:44:33 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.11

Via RHSA-2022:6102 https://access.redhat.com/errata/RHSA-2022:6102

Comment 37 errata-xmlrpc 2022-08-23 15:07:55 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.11

Via RHSA-2022:6103 https://access.redhat.com/errata/RHSA-2022:6103

Comment 38 errata-xmlrpc 2022-08-31 16:56:22 UTC
This issue has been addressed in the following products:

  OpenShift Service Mesh 2.1

Via RHSA-2022:6277 https://access.redhat.com/errata/RHSA-2022:6277

Comment 39 errata-xmlrpc 2022-09-01 01:24:58 UTC
This issue has been addressed in the following products:

  OADP-1.1-RHEL-8

Via RHSA-2022:6290 https://access.redhat.com/errata/RHSA-2022:6290

Comment 40 errata-xmlrpc 2022-09-01 05:40:46 UTC
This issue has been addressed in the following products:

  OSSO-1.1-RHEL-8

Via RHSA-2022:6152 https://access.redhat.com/errata/RHSA-2022:6152

Comment 41 errata-xmlrpc 2022-09-06 12:58:18 UTC
This issue has been addressed in the following products:

  Red Hat Advanced Cluster Management for Kubernetes 2.6 for RHEL 8

Via RHSA-2022:6347 https://access.redhat.com/errata/RHSA-2022:6347

Comment 42 errata-xmlrpc 2022-09-06 13:02:24 UTC
This issue has been addressed in the following products:

  Red Hat Advanced Cluster Management for Kubernetes 2.6 for RHEL 8

Via RHSA-2022:6346 https://access.redhat.com/errata/RHSA-2022:6346

Comment 43 errata-xmlrpc 2022-09-06 13:42:46 UTC
This issue has been addressed in the following products:

  Red Hat Advanced Cluster Management for Kubernetes 2.5 for RHEL 8

Via RHSA-2022:6348 https://access.redhat.com/errata/RHSA-2022:6348

Comment 44 errata-xmlrpc 2022-09-06 14:33:17 UTC
This issue has been addressed in the following products:

  multicluster engine for Kubernetes 2.1 for RHEL 8

Via RHSA-2022:6345 https://access.redhat.com/errata/RHSA-2022:6345

Comment 45 errata-xmlrpc 2022-09-06 22:29:21 UTC
This issue has been addressed in the following products:

  Red Hat Advanced Cluster Management for Kubernetes 2.6 for RHEL 8

Via RHSA-2022:6370 https://access.redhat.com/errata/RHSA-2022:6370

Comment 46 errata-xmlrpc 2022-09-13 02:09:52 UTC
This issue has been addressed in the following products:

  OADP-1.0-RHEL-8

Via RHSA-2022:6430 https://access.redhat.com/errata/RHSA-2022:6430

Comment 47 errata-xmlrpc 2022-09-20 16:20:42 UTC
This issue has been addressed in the following products:

  Ironic content for Red Hat OpenShift Container Platform 4.11
  Red Hat OpenShift Container Platform 4.11

Via RHSA-2022:6535 https://access.redhat.com/errata/RHSA-2022:6535

Comment 49 errata-xmlrpc 2022-09-26 14:52:13 UTC
This issue has been addressed in the following products:

  Red Hat Advanced Cluster Management for Kubernetes 2.4 for RHEL 8

Via RHSA-2022:6696 https://access.redhat.com/errata/RHSA-2022:6696

Comment 57 errata-xmlrpc 2022-12-01 21:10:06 UTC
This issue has been addressed in the following products:

  RHEL-8-CNV-4.11

Via RHSA-2022:8750 https://access.redhat.com/errata/RHSA-2022:8750

Comment 58 errata-xmlrpc 2022-12-15 01:57:37 UTC
This issue has been addressed in the following products:

  Red Hat Migration Toolkit for Containers 1.7

Via RHSA-2022:9047 https://access.redhat.com/errata/RHSA-2022:9047

Comment 74 errata-xmlrpc 2023-01-24 12:48:58 UTC
This issue has been addressed in the following products:

  RHEL-8-CNV-4.12
  RHEL-7-CNV-4.12

Via RHSA-2023:0407 https://access.redhat.com/errata/RHSA-2023:0407

Comment 75 errata-xmlrpc 2023-01-24 13:34:42 UTC
This issue has been addressed in the following products:

  RHEL-8-CNV-4.12

Via RHSA-2023:0408 https://access.redhat.com/errata/RHSA-2023:0408

Comment 83 errata-xmlrpc 2023-02-07 18:36:52 UTC
This issue has been addressed in the following products:

  Red Hat Advanced Cluster Management for Kubernetes 2.7 for RHEL 8

Via RHSA-2023:0630 https://access.redhat.com/errata/RHSA-2023:0630


Note You need to log in before you can comment on or make changes to this bug.