Bug 2178492 (CVE-2022-41724) - CVE-2022-41724 golang: crypto/tls: large handshake records may cause panics
Summary: CVE-2022-41724 golang: crypto/tls: large handshake records may cause panics
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2022-41724
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 2178495 2178496 2179247 2179248 2179249 2179250 2179251 2179252 2179253 2179254 2179255 2179256 2179257 2179258 2179259 2179261 2179262 2179925 2179926 2179927 2179935 2179936 2179937 2179938 2179939 2179943 2179944 2179945 2179946 2179947 2179948 2179949 2179950 2179951 2179952 2179953 2179954 2179955 2179956 2179957 2179958 2179959 2179960 2179961 2179962 2179963 2179964 2179965 2179966 2179967 2179968 2179969 2179970 2179971 2179972 2179973 2208150 2208151
Blocks: 2169910
TreeView+ depends on / blocked
 
Reported: 2023-03-15 05:14 UTC by Avinash Hanwate
Modified: 2024-04-15 07:13 UTC (History)
146 users (show)

Fixed In Version: golang 1.20.1, golang 1.19.6
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in Golang Go, where it is vulnerable to a denial of service caused when processing large TLS handshake records. By sending specially-crafted TLS handshake records, a remote, authenticated attacker can cause a denial of service condition.
Clone Of:
Environment:
Last Closed: 2023-06-07 10:17:51 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2023:6108 0 None None None 2023-10-25 12:15:32 UTC
Red Hat Product Errata RHSA-2023:0584 0 None None None 2023-05-18 14:28:14 UTC
Red Hat Product Errata RHSA-2023:1325 0 None None None 2023-05-17 22:54:06 UTC
Red Hat Product Errata RHSA-2023:1326 0 None None None 2023-05-17 22:31:45 UTC
Red Hat Product Errata RHSA-2023:1639 0 None None None 2023-04-05 01:15:10 UTC
Red Hat Product Errata RHSA-2023:1817 0 None None None 2023-04-18 01:01:44 UTC
Red Hat Product Errata RHSA-2023:2107 0 None None None 2023-05-04 01:50:15 UTC
Red Hat Product Errata RHSA-2023:3083 0 None None None 2023-05-16 09:59:29 UTC
Red Hat Product Errata RHSA-2023:3167 0 None None None 2023-05-18 11:34:17 UTC
Red Hat Product Errata RHSA-2023:3303 0 None None None 2023-05-30 20:24:58 UTC
Red Hat Product Errata RHSA-2023:3366 0 None None None 2023-06-07 02:02:33 UTC
Red Hat Product Errata RHSA-2023:3445 0 None None None 2023-06-05 14:08:11 UTC
Red Hat Product Errata RHSA-2023:3450 0 None None None 2023-06-05 16:44:26 UTC
Red Hat Product Errata RHSA-2023:3455 0 None None None 2023-06-05 23:42:55 UTC
Red Hat Product Errata RHSA-2023:3612 0 None None None 2023-06-23 04:39:45 UTC
Red Hat Product Errata RHSA-2023:3742 0 None None None 2023-06-22 19:52:33 UTC
Red Hat Product Errata RHSA-2023:4003 0 None None None 2023-07-10 08:51:26 UTC
Red Hat Product Errata RHSA-2023:4335 0 None None None 2023-08-08 00:36:25 UTC
Red Hat Product Errata RHSA-2023:4470 0 None None None 2023-08-03 14:12:53 UTC
Red Hat Product Errata RHSA-2023:4627 0 None None None 2023-08-14 01:02:43 UTC
Red Hat Product Errata RHSA-2023:5935 0 None None None 2023-10-19 16:50:31 UTC
Red Hat Product Errata RHSA-2023:5964 0 None None None 2023-10-20 14:57:16 UTC
Red Hat Product Errata RHSA-2023:5976 0 None None None 2023-10-20 17:19:02 UTC
Red Hat Product Errata RHSA-2023:6363 0 None None None 2023-11-07 08:14:04 UTC
Red Hat Product Errata RHSA-2023:6380 0 None None None 2023-11-07 08:15:04 UTC
Red Hat Product Errata RHSA-2023:6402 0 None None None 2023-11-07 08:15:51 UTC
Red Hat Product Errata RHSA-2023:6473 0 None None None 2023-11-07 08:17:07 UTC
Red Hat Product Errata RHSA-2023:6474 0 None None None 2023-11-07 08:17:38 UTC
Red Hat Product Errata RHSA-2023:6817 0 None None None 2023-11-08 14:03:41 UTC
Red Hat Product Errata RHSA-2023:6938 0 None None None 2023-11-14 15:16:33 UTC
Red Hat Product Errata RHSA-2023:6939 0 None None None 2023-11-14 15:17:17 UTC
Red Hat Product Errata RHSA-2023:7672 0 None None None 2023-12-06 14:36:44 UTC

Description Avinash Hanwate 2023-03-15 05:14:28 UTC 
Large handshake records may cause panics in crypto/tls. Both clients and servers may send large TLS handshake records which cause servers and clients, respectively, to panic when attempting to construct responses. This affects all TLS 1.3 clients, TLS 1.2 clients which explicitly enable session resumption (by setting Config.ClientSessionCache to a non-nil value), and TLS 1.3 servers which request client certificates (by setting Config.ClientAuth >= RequestClientCert).

https://groups.google.com/g/golang-announce/c/V0aBFqaFs_E
https://pkg.go.dev/vuln/GO-2023-1570
https://go.dev/cl/468125
https://go.dev/issue/58001
Comment 1 Avinash Hanwate 2023-03-15 05:35:13 UTC 
Created golang tracking bugs for this issue:

Affects: epel-all [bug 2178495]
Affects: fedora-all [bug 2178496]
Comment 14 errata-xmlrpc 2023-04-05 01:15:04 UTC 
This issue has been addressed in the following products:

  OADP-1.1-RHEL-8

Via RHSA-2023:1639 https://access.redhat.com/errata/RHSA-2023:1639
Comment 17 errata-xmlrpc 2023-04-18 01:01:37 UTC 
This issue has been addressed in the following products:

  NETWORK-OBSERVABILITY-1.2.0-RHEL-9

Via RHSA-2023:1817 https://access.redhat.com/errata/RHSA-2023:1817
Comment 20 errata-xmlrpc 2023-05-04 01:50:10 UTC 
This issue has been addressed in the following products:

  Red Hat Migration Toolkit for Containers 1.7

Via RHSA-2023:2107 https://access.redhat.com/errata/RHSA-2023:2107
Comment 24 errata-xmlrpc 2023-05-16 09:59:25 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2023:3083 https://access.redhat.com/errata/RHSA-2023:3083
Comment 25 errata-xmlrpc 2023-05-17 22:31:37 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.13

Via RHSA-2023:1326 https://access.redhat.com/errata/RHSA-2023:1326
Comment 26 errata-xmlrpc 2023-05-17 22:54:00 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.13

Via RHSA-2023:1325 https://access.redhat.com/errata/RHSA-2023:1325
Comment 28 errata-xmlrpc 2023-05-18 11:34:12 UTC 
This issue has been addressed in the following products:

  Cryostat 2 on RHEL 8

Via RHSA-2023:3167 https://access.redhat.com/errata/RHSA-2023:3167
Comment 29 errata-xmlrpc 2023-05-18 14:28:07 UTC 
This issue has been addressed in the following products:

  OSSO-1.1-RHEL-8

Via RHSA-2023:0584 https://access.redhat.com/errata/RHSA-2023:0584
Comment 30 errata-xmlrpc 2023-05-30 20:24:52 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.13

Via RHSA-2023:3303 https://access.redhat.com/errata/RHSA-2023:3303
Comment 32 errata-xmlrpc 2023-06-05 14:08:04 UTC 
This issue has been addressed in the following products:

  Red Hat OpenStack Platform 16.2

Via RHSA-2023:3445 https://access.redhat.com/errata/RHSA-2023:3445
Comment 33 errata-xmlrpc 2023-06-05 16:44:18 UTC 
This issue has been addressed in the following products:

  Openshift Serverless 1 on RHEL 8

Via RHSA-2023:3450 https://access.redhat.com/errata/RHSA-2023:3450
Comment 34 errata-xmlrpc 2023-06-05 23:42:47 UTC 
This issue has been addressed in the following products:

  RHOSS-1.29-RHEL-8

Via RHSA-2023:3455 https://access.redhat.com/errata/RHSA-2023:3455
Comment 35 errata-xmlrpc 2023-06-07 02:02:26 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.13

Via RHSA-2023:3366 https://access.redhat.com/errata/RHSA-2023:3366
Comment 36 Product Security DevOps Team 2023-06-07 10:17:43 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2022-41724
Comment 37 errata-xmlrpc 2023-06-22 19:52:25 UTC 
This issue has been addressed in the following products:

  RHODF-4.13-RHEL-9

Via RHSA-2023:3742 https://access.redhat.com/errata/RHSA-2023:3742
Comment 38 errata-xmlrpc 2023-06-23 04:39:38 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.13

Via RHSA-2023:3612 https://access.redhat.com/errata/RHSA-2023:3612
Comment 39 errata-xmlrpc 2023-07-10 08:51:18 UTC 
This issue has been addressed in the following products:

  Service Interconnect 1 for RHEL 8
  Service Interconnect 1 for RHEL 9

Via RHSA-2023:4003 https://access.redhat.com/errata/RHSA-2023:4003
Comment 41 errata-xmlrpc 2023-08-03 14:12:45 UTC 
This issue has been addressed in the following products:

  Red Hat Ansible Automation Platform 2.3 for RHEL 8

Via RHSA-2023:4470 https://access.redhat.com/errata/RHSA-2023:4470
Comment 42 errata-xmlrpc 2023-08-08 00:36:20 UTC 
This issue has been addressed in the following products:

  CERT-MANAGER-1.10-RHEL-9

Via RHSA-2023:4335 https://access.redhat.com/errata/RHSA-2023:4335
Comment 43 errata-xmlrpc 2023-08-14 01:02:37 UTC 
This issue has been addressed in the following products:

  MTA-6.2-RHEL-9
  MTA-6.2-RHEL-8

Via RHSA-2023:4627 https://access.redhat.com/errata/RHSA-2023:4627
Comment 44 errata-xmlrpc 2023-10-19 16:50:22 UTC 
This issue has been addressed in the following products:

  Red Hat OpenStack Platform 16.2

Via RHSA-2023:5935 https://access.redhat.com/errata/RHSA-2023:5935
Comment 45 errata-xmlrpc 2023-10-20 14:57:09 UTC 
This issue has been addressed in the following products:

  Red Hat OpenStack Platform 16.2

Via RHSA-2023:5964 https://access.redhat.com/errata/RHSA-2023:5964
Comment 46 errata-xmlrpc 2023-10-20 17:18:53 UTC 
This issue has been addressed in the following products:

  STF-1.5-RHEL-8

Via RHSA-2023:5976 https://access.redhat.com/errata/RHSA-2023:5976
Comment 47 errata-xmlrpc 2023-11-07 08:13:53 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2023:6363 https://access.redhat.com/errata/RHSA-2023:6363
Comment 48 errata-xmlrpc 2023-11-07 08:14:56 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2023:6380 https://access.redhat.com/errata/RHSA-2023:6380
Comment 49 errata-xmlrpc 2023-11-07 08:15:42 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2023:6402 https://access.redhat.com/errata/RHSA-2023:6402
Comment 50 errata-xmlrpc 2023-11-07 08:16:58 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2023:6473 https://access.redhat.com/errata/RHSA-2023:6473
Comment 51 errata-xmlrpc 2023-11-07 08:17:29 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2023:6474 https://access.redhat.com/errata/RHSA-2023:6474
Comment 52 errata-xmlrpc 2023-11-08 14:03:33 UTC 
This issue has been addressed in the following products:

  RHEL-9-CNV-4.14

Via RHSA-2023:6817 https://access.redhat.com/errata/RHSA-2023:6817
Comment 53 errata-xmlrpc 2023-11-14 15:16:23 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2023:6938 https://access.redhat.com/errata/RHSA-2023:6938
Comment 54 errata-xmlrpc 2023-11-14 15:17:07 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2023:6939 https://access.redhat.com/errata/RHSA-2023:6939
Comment 56 errata-xmlrpc 2023-12-06 14:36:35 UTC 
This issue has been addressed in the following products:

  RHEL-8-CNV-4.14

Via RHSA-2023:7672 https://access.redhat.com/errata/RHSA-2023:7672
Note You need to log in before you can comment on or make changes to this bug.