Bug 2178492 (CVE-2022-41724) - CVE-2022-41724 golang: crypto/tls: large handshake records may cause panics
Summary: CVE-2022-41724 golang: crypto/tls: large handshake records may cause panics
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2022-41724
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 2178495 2178496 2179247 2179248 2179249 2179250 2179251 2179252 2179253 2179254 2179255 2179256 2179257 2179258 2179259 2179261 2179262 2179925 2179926 2179927 2179935 2179936 2179937 2179938 2179939 2179943 2179944 2179945 2179946 2179947 2179948 2179949 2179950 2179951 2179952 2179953 2179954 2179955 2179956 2179957 2179958 2179959 2179960 2179961 2179962 2179963 2179964 2179965 2179966 2179967 2179968 2179969 2179970 2179971 2179972 2179973 2208150 2208151
Blocks: 2169910
TreeView+ depends on / blocked
 
Reported: 2023-03-15 05:14 UTC by Avinash Hanwate
Modified: 2024-05-21 14:07 UTC (History)
146 users (show)

Fixed In Version: golang 1.20.1, golang 1.19.6
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in Golang Go, where it is vulnerable to a denial of service caused when processing large TLS handshake records. By sending specially-crafted TLS handshake records, a remote, authenticated attacker can cause a denial of service condition.
Clone Of:
Environment:
Last Closed: 2023-06-07 10:17:51 UTC
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2023:6108 0 None None None 2023-10-25 12:15:32 UTC
Red Hat Product Errata RHSA-2023:0584 0 None None None 2023-05-18 14:28:14 UTC
Red Hat Product Errata RHSA-2023:1325 0 None None None 2023-05-17 22:54:06 UTC
Red Hat Product Errata RHSA-2023:1326 0 None None None 2023-05-17 22:31:45 UTC
Red Hat Product Errata RHSA-2023:1639 0 None None None 2023-04-05 01:15:10 UTC
Red Hat Product Errata RHSA-2023:1817 0 None None None 2023-04-18 01:01:44 UTC
Red Hat Product Errata RHSA-2023:2107 0 None None None 2023-05-04 01:50:15 UTC
Red Hat Product Errata RHSA-2023:3083 0 None None None 2023-05-16 09:59:29 UTC
Red Hat Product Errata RHSA-2023:3167 0 None None None 2023-05-18 11:34:17 UTC
Red Hat Product Errata RHSA-2023:3303 0 None None None 2023-05-30 20:24:58 UTC
Red Hat Product Errata RHSA-2023:3366 0 None None None 2023-06-07 02:02:33 UTC
Red Hat Product Errata RHSA-2023:3445 0 None None None 2023-06-05 14:08:11 UTC
Red Hat Product Errata RHSA-2023:3450 0 None None None 2023-06-05 16:44:26 UTC
Red Hat Product Errata RHSA-2023:3455 0 None None None 2023-06-05 23:42:55 UTC
Red Hat Product Errata RHSA-2023:3612 0 None None None 2023-06-23 04:39:45 UTC
Red Hat Product Errata RHSA-2023:3742 0 None None None 2023-06-22 19:52:33 UTC
Red Hat Product Errata RHSA-2023:4003 0 None None None 2023-07-10 08:51:26 UTC
Red Hat Product Errata RHSA-2023:4335 0 None None None 2023-08-08 00:36:25 UTC
Red Hat Product Errata RHSA-2023:4470 0 None None None 2023-08-03 14:12:53 UTC
Red Hat Product Errata RHSA-2023:4627 0 None None None 2023-08-14 01:02:43 UTC
Red Hat Product Errata RHSA-2023:5935 0 None None None 2023-10-19 16:50:31 UTC
Red Hat Product Errata RHSA-2023:5964 0 None None None 2023-10-20 14:57:16 UTC
Red Hat Product Errata RHSA-2023:5976 0 None None None 2023-10-20 17:19:02 UTC
Red Hat Product Errata RHSA-2023:6363 0 None None None 2023-11-07 08:14:04 UTC
Red Hat Product Errata RHSA-2023:6380 0 None None None 2023-11-07 08:15:04 UTC
Red Hat Product Errata RHSA-2023:6402 0 None None None 2023-11-07 08:15:51 UTC
Red Hat Product Errata RHSA-2023:6473 0 None None None 2023-11-07 08:17:07 UTC
Red Hat Product Errata RHSA-2023:6474 0 None None None 2023-11-07 08:17:38 UTC
Red Hat Product Errata RHSA-2023:6817 0 None None None 2023-11-08 14:03:41 UTC
Red Hat Product Errata RHSA-2023:6938 0 None None None 2023-11-14 15:16:33 UTC
Red Hat Product Errata RHSA-2023:6939 0 None None None 2023-11-14 15:17:17 UTC
Red Hat Product Errata RHSA-2023:7672 0 None None None 2023-12-06 14:36:44 UTC
Red Hat Product Errata RHSA-2024:2944 0 None None None 2024-05-21 14:07:36 UTC

Description Avinash Hanwate 2023-03-15 05:14:28 UTC
Large handshake records may cause panics in crypto/tls. Both clients and servers may send large TLS handshake records which cause servers and clients, respectively, to panic when attempting to construct responses. This affects all TLS 1.3 clients, TLS 1.2 clients which explicitly enable session resumption (by setting Config.ClientSessionCache to a non-nil value), and TLS 1.3 servers which request client certificates (by setting Config.ClientAuth >= RequestClientCert).

https://groups.google.com/g/golang-announce/c/V0aBFqaFs_E
https://pkg.go.dev/vuln/GO-2023-1570
https://go.dev/cl/468125
https://go.dev/issue/58001

Comment 1 Avinash Hanwate 2023-03-15 05:35:13 UTC
Created golang tracking bugs for this issue:

Affects: epel-all [bug 2178495]
Affects: fedora-all [bug 2178496]

Comment 14 errata-xmlrpc 2023-04-05 01:15:04 UTC
This issue has been addressed in the following products:

  OADP-1.1-RHEL-8

Via RHSA-2023:1639 https://access.redhat.com/errata/RHSA-2023:1639

Comment 17 errata-xmlrpc 2023-04-18 01:01:37 UTC
This issue has been addressed in the following products:

  NETWORK-OBSERVABILITY-1.2.0-RHEL-9

Via RHSA-2023:1817 https://access.redhat.com/errata/RHSA-2023:1817

Comment 20 errata-xmlrpc 2023-05-04 01:50:10 UTC
This issue has been addressed in the following products:

  Red Hat Migration Toolkit for Containers 1.7

Via RHSA-2023:2107 https://access.redhat.com/errata/RHSA-2023:2107

Comment 24 errata-xmlrpc 2023-05-16 09:59:25 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2023:3083 https://access.redhat.com/errata/RHSA-2023:3083

Comment 25 errata-xmlrpc 2023-05-17 22:31:37 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.13

Via RHSA-2023:1326 https://access.redhat.com/errata/RHSA-2023:1326

Comment 26 errata-xmlrpc 2023-05-17 22:54:00 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.13

Via RHSA-2023:1325 https://access.redhat.com/errata/RHSA-2023:1325

Comment 28 errata-xmlrpc 2023-05-18 11:34:12 UTC
This issue has been addressed in the following products:

  Cryostat 2 on RHEL 8

Via RHSA-2023:3167 https://access.redhat.com/errata/RHSA-2023:3167

Comment 29 errata-xmlrpc 2023-05-18 14:28:07 UTC
This issue has been addressed in the following products:

  OSSO-1.1-RHEL-8

Via RHSA-2023:0584 https://access.redhat.com/errata/RHSA-2023:0584

Comment 30 errata-xmlrpc 2023-05-30 20:24:52 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.13

Via RHSA-2023:3303 https://access.redhat.com/errata/RHSA-2023:3303

Comment 32 errata-xmlrpc 2023-06-05 14:08:04 UTC
This issue has been addressed in the following products:

  Red Hat OpenStack Platform 16.2

Via RHSA-2023:3445 https://access.redhat.com/errata/RHSA-2023:3445

Comment 33 errata-xmlrpc 2023-06-05 16:44:18 UTC
This issue has been addressed in the following products:

  Openshift Serverless 1 on RHEL 8

Via RHSA-2023:3450 https://access.redhat.com/errata/RHSA-2023:3450

Comment 34 errata-xmlrpc 2023-06-05 23:42:47 UTC
This issue has been addressed in the following products:

  RHOSS-1.29-RHEL-8

Via RHSA-2023:3455 https://access.redhat.com/errata/RHSA-2023:3455

Comment 35 errata-xmlrpc 2023-06-07 02:02:26 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.13

Via RHSA-2023:3366 https://access.redhat.com/errata/RHSA-2023:3366

Comment 36 Product Security DevOps Team 2023-06-07 10:17:43 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2022-41724

Comment 37 errata-xmlrpc 2023-06-22 19:52:25 UTC
This issue has been addressed in the following products:

  RHODF-4.13-RHEL-9

Via RHSA-2023:3742 https://access.redhat.com/errata/RHSA-2023:3742

Comment 38 errata-xmlrpc 2023-06-23 04:39:38 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.13

Via RHSA-2023:3612 https://access.redhat.com/errata/RHSA-2023:3612

Comment 39 errata-xmlrpc 2023-07-10 08:51:18 UTC
This issue has been addressed in the following products:

  Service Interconnect 1 for RHEL 8
  Service Interconnect 1 for RHEL 9

Via RHSA-2023:4003 https://access.redhat.com/errata/RHSA-2023:4003

Comment 41 errata-xmlrpc 2023-08-03 14:12:45 UTC
This issue has been addressed in the following products:

  Red Hat Ansible Automation Platform 2.3 for RHEL 8

Via RHSA-2023:4470 https://access.redhat.com/errata/RHSA-2023:4470

Comment 42 errata-xmlrpc 2023-08-08 00:36:20 UTC
This issue has been addressed in the following products:

  CERT-MANAGER-1.10-RHEL-9

Via RHSA-2023:4335 https://access.redhat.com/errata/RHSA-2023:4335

Comment 43 errata-xmlrpc 2023-08-14 01:02:37 UTC
This issue has been addressed in the following products:

  MTA-6.2-RHEL-9
  MTA-6.2-RHEL-8

Via RHSA-2023:4627 https://access.redhat.com/errata/RHSA-2023:4627

Comment 44 errata-xmlrpc 2023-10-19 16:50:22 UTC
This issue has been addressed in the following products:

  Red Hat OpenStack Platform 16.2

Via RHSA-2023:5935 https://access.redhat.com/errata/RHSA-2023:5935

Comment 45 errata-xmlrpc 2023-10-20 14:57:09 UTC
This issue has been addressed in the following products:

  Red Hat OpenStack Platform 16.2

Via RHSA-2023:5964 https://access.redhat.com/errata/RHSA-2023:5964

Comment 46 errata-xmlrpc 2023-10-20 17:18:53 UTC
This issue has been addressed in the following products:

  STF-1.5-RHEL-8

Via RHSA-2023:5976 https://access.redhat.com/errata/RHSA-2023:5976

Comment 47 errata-xmlrpc 2023-11-07 08:13:53 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2023:6363 https://access.redhat.com/errata/RHSA-2023:6363

Comment 48 errata-xmlrpc 2023-11-07 08:14:56 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2023:6380 https://access.redhat.com/errata/RHSA-2023:6380

Comment 49 errata-xmlrpc 2023-11-07 08:15:42 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2023:6402 https://access.redhat.com/errata/RHSA-2023:6402

Comment 50 errata-xmlrpc 2023-11-07 08:16:58 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2023:6473 https://access.redhat.com/errata/RHSA-2023:6473

Comment 51 errata-xmlrpc 2023-11-07 08:17:29 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2023:6474 https://access.redhat.com/errata/RHSA-2023:6474

Comment 52 errata-xmlrpc 2023-11-08 14:03:33 UTC
This issue has been addressed in the following products:

  RHEL-9-CNV-4.14

Via RHSA-2023:6817 https://access.redhat.com/errata/RHSA-2023:6817

Comment 53 errata-xmlrpc 2023-11-14 15:16:23 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2023:6938 https://access.redhat.com/errata/RHSA-2023:6938

Comment 54 errata-xmlrpc 2023-11-14 15:17:07 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2023:6939 https://access.redhat.com/errata/RHSA-2023:6939

Comment 56 errata-xmlrpc 2023-12-06 14:36:35 UTC
This issue has been addressed in the following products:

  RHEL-8-CNV-4.14

Via RHSA-2023:7672 https://access.redhat.com/errata/RHSA-2023:7672

Comment 59 errata-xmlrpc 2024-05-21 14:07:24 UTC
This issue has been addressed in the following products:

  RHEL-8 based Middleware Containers

Via RHSA-2024:2944 https://access.redhat.com/errata/RHSA-2024:2944


Note You need to log in before you can comment on or make changes to this bug.