Bug 2228743 (CVE-2023-29409) - CVE-2023-29409 golang: crypto/tls: slow verification of certificate chains containing large RSA keys
Summary: CVE-2023-29409 golang: crypto/tls: slow verification of certificate chains co...
Keywords:
Status: NEW
Alias: CVE-2023-29409
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Sayan Biswas
QA Contact:
URL:
Whiteboard:
Depends On: 2228830 2228829 2228831 2228832 2228833 2228834 2228835 2228836 2228837 2228838 2228839 2228840 2228842 2228843 2228844 2229061 2229062 2229063 2229064 2229065 2229066 2229067 2229068 2229069 2229070 2229071 2229072 2229073 2229074 2229075 2229076 2229077 2229078 2229079 2229080 2229081 2229082 2229083 2229084 2229085 2229086 2229087 2229088 2229089 2229090 2229091 2229092 2229093 2229094 2229620 2229621 2230278 2238931 2238932
Blocks: 2228694
TreeView+ depends on / blocked
 
Reported: 2023-08-03 07:10 UTC by Avinash Hanwate
Modified: 2024-05-02 18:49 UTC (History)
145 users (show)

Fixed In Version: Go 1.20.7, Go 1.19.12
Doc Type: If docs needed, set a value
Doc Text:
A denial of service vulnerability was found in the Golang Go package caused by an uncontrolled resource consumption flaw. By persuading a victim to use a specially crafted certificate with large RSA keys, a remote attacker can cause a client/server to expend significant CPU time verifying signatures, resulting in a denial of service condition.
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2023:5762 0 None None None 2023-10-17 08:27:57 UTC
Red Hat Product Errata RHBA-2023:6038 0 None None None 2023-10-23 16:41:43 UTC
Red Hat Product Errata RHBA-2023:6108 0 None None None 2023-10-25 12:15:41 UTC
Red Hat Product Errata RHBA-2023:6806 0 None None None 2023-11-08 10:40:22 UTC
Red Hat Product Errata RHBA-2023:6807 0 None None None 2023-11-08 10:40:41 UTC
Red Hat Product Errata RHSA-2023:5530 0 None None None 2023-10-20 05:04:54 UTC
Red Hat Product Errata RHSA-2023:5541 0 None None None 2023-10-20 04:11:59 UTC
Red Hat Product Errata RHSA-2023:5738 0 None None None 2023-10-16 13:57:19 UTC
Red Hat Product Errata RHSA-2023:5805 0 None None None 2023-10-17 17:40:33 UTC
Red Hat Product Errata RHSA-2023:5933 0 None None None 2023-10-26 01:04:52 UTC
Red Hat Product Errata RHSA-2023:5935 0 None None None 2023-10-19 16:50:43 UTC
Red Hat Product Errata RHSA-2023:5947 0 None None None 2023-10-26 00:47:56 UTC
Red Hat Product Errata RHSA-2023:5964 0 None None None 2023-10-20 14:58:06 UTC
Red Hat Product Errata RHSA-2023:5965 0 None None None 2023-10-20 14:57:35 UTC
Red Hat Product Errata RHSA-2023:5969 0 None None None 2023-10-20 14:56:39 UTC
Red Hat Product Errata RHSA-2023:5971 0 None None None 2023-10-20 14:57:50 UTC
Red Hat Product Errata RHSA-2023:5974 0 None None None 2023-10-20 16:50:09 UTC
Red Hat Product Errata RHSA-2023:5976 0 None None None 2023-10-20 17:18:52 UTC
Red Hat Product Errata RHSA-2023:6031 0 None None None 2023-10-23 14:24:53 UTC
Red Hat Product Errata RHSA-2023:6085 0 None None None 2023-10-24 15:32:46 UTC
Red Hat Product Errata RHSA-2023:6115 0 None None None 2023-10-25 14:02:09 UTC
Red Hat Product Errata RHSA-2023:6161 0 None None None 2023-10-30 02:16:26 UTC
Red Hat Product Errata RHSA-2023:6279 0 None None None 2023-11-15 01:08:39 UTC
Red Hat Product Errata RHSA-2023:6296 0 None None None 2023-11-02 19:16:13 UTC
Red Hat Product Errata RHSA-2023:6298 0 None None None 2023-11-03 08:45:50 UTC
Red Hat Product Errata RHSA-2023:6840 0 None None None 2023-11-15 04:38:11 UTC
Red Hat Product Errata RHSA-2023:7762 0 None None None 2023-12-12 17:23:19 UTC
Red Hat Product Errata RHSA-2023:7763 0 None None None 2023-12-12 17:23:37 UTC
Red Hat Product Errata RHSA-2023:7764 0 None None None 2023-12-12 17:23:46 UTC
Red Hat Product Errata RHSA-2023:7765 0 None None None 2023-12-12 17:24:47 UTC
Red Hat Product Errata RHSA-2023:7766 0 None None None 2023-12-12 17:24:08 UTC
Red Hat Product Errata RHSA-2024:0121 0 None None None 2024-01-10 11:28:08 UTC
Red Hat Product Errata RHSA-2024:0292 0 None None None 2024-01-23 22:34:53 UTC
Red Hat Product Errata RHSA-2024:0293 0 None None None 2024-01-23 21:32:39 UTC
Red Hat Product Errata RHSA-2024:1027 0 None None None 2024-02-28 18:14:34 UTC

Description Avinash Hanwate 2023-08-03 07:10:56 UTC 
Extremely large RSA keys in certificate chains can cause a client/server to expend significant CPU time verifying signatures. With fix, the size of RSA keys transmitted during handshakes is restricted to <= 8192 bits. Based on a survey of publicly trusted RSA keys, there are currently only three certificates in circulation with keys larger than this, and all three appear to be test certificates that are not actively deployed. It is possible there are larger keys in use in private PKIs, but we target the web PKI, so causing breakage here in the interests of increasing the default safety of users of crypto/tls seems reasonable.

https://go.dev/cl/515257
https://groups.google.com/g/golang-announce/c/X0b6CsSAaYI/m/Efv5DbZ9AwAJ
https://pkg.go.dev/vuln/GO-2023-1987
https://go.dev/issue/61460
Comment 6 Avinash Hanwate 2023-08-07 06:07:00 UTC 
Created golang tracking bugs for this issue:

Affects: epel-all [bug 2229620]
Affects: fedora-all [bug 2229621]
Comment 7 Debarshi Ray 2023-08-07 17:42:48 UTC 
Were the bugs for this CVE created correctly?

I got bugs RHEL 8 bugs for toolbox for both the rolling (bug 2229077) and 4.0 (bug 2229071) module streams, but none for RHEL 9.  In comparison, I found RHEL 9 bugs for podman (bug 2229091) and golang (bug 2229065).

So, it seems like RHEL 9 is affected, but then why is there no RHEL 9 toolbox bug?  There's no difference in toolbox across RHEL 8 and 9 that could be relevant to this CVE.

I have seen this happen a few times recently:
https://bugzilla.redhat.com/show_bug.cgi?id=2196026#c33
https://bugzilla.redhat.com/show_bug.cgi?id=2196027#c45

... and it makes me wonder if there's something wrong with the process that's used to file these bugs.
Comment 9 Avinash Hanwate 2023-08-09 09:03:50 UTC 
In reply to comment #7:
> Were the bugs for this CVE created correctly?
> 
> I got bugs RHEL 8 bugs for toolbox for both the rolling (bug 2229077) and
> 4.0 (bug 2229071) module streams, but none for RHEL 9.  In comparison, I
> found RHEL 9 bugs for podman (bug 2229091) and golang (bug 2229065).
> 
> So, it seems like RHEL 9 is affected, but then why is there no RHEL 9
> toolbox bug?  There's no difference in toolbox across RHEL 8 and 9 that
> could be relevant to this CVE.
> 
> I have seen this happen a few times recently:
> https://bugzilla.redhat.com/show_bug.cgi?id=2196026#c33
> https://bugzilla.redhat.com/show_bug.cgi?id=2196027#c45
> 
> ... and it makes me wonder if there's something wrong with the process
> that's used to file these bugs.
Hi @debarshi, we are working on fixing this issue. I have filed a tracker for rhel-9/toolbox.
Comment 10 Debarshi Ray 2023-08-09 16:05:41 UTC 
(In reply to Avinash Hanwate from comment #9)
> ... we are working on fixing this issue. I have filed a tracker
> for rhel-9/toolbox.

That's fantastic, thanks!
Comment 14 errata-xmlrpc 2023-10-16 13:57:13 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2023:5738 https://access.redhat.com/errata/RHSA-2023:5738
Comment 15 errata-xmlrpc 2023-10-17 17:40:27 UTC 
This issue has been addressed in the following products:

  Red Hat Ansible Automation Platform 2.4 for RHEL 8
  Red Hat Ansible Automation Platform 2.4 for RHEL 9

Via RHSA-2023:5805 https://access.redhat.com/errata/RHSA-2023:5805
Comment 19 errata-xmlrpc 2023-10-19 16:50:35 UTC 
This issue has been addressed in the following products:

  Red Hat OpenStack Platform 16.2

Via RHSA-2023:5935 https://access.redhat.com/errata/RHSA-2023:5935
Comment 20 errata-xmlrpc 2023-10-20 04:11:53 UTC 
This issue has been addressed in the following products:

  RHOL-5.6-RHEL-8

Via RHSA-2023:5541 https://access.redhat.com/errata/RHSA-2023:5541
Comment 21 errata-xmlrpc 2023-10-20 05:04:48 UTC 
This issue has been addressed in the following products:

  RHOL-5.7-RHEL-8

Via RHSA-2023:5530 https://access.redhat.com/errata/RHSA-2023:5530
Comment 22 errata-xmlrpc 2023-10-20 14:56:34 UTC 
This issue has been addressed in the following products:

  Red Hat OpenStack Platform 17.1

Via RHSA-2023:5969 https://access.redhat.com/errata/RHSA-2023:5969
Comment 23 errata-xmlrpc 2023-10-20 14:57:27 UTC 
This issue has been addressed in the following products:

  Red Hat OpenStack Platform 16.2

Via RHSA-2023:5965 https://access.redhat.com/errata/RHSA-2023:5965
Comment 24 errata-xmlrpc 2023-10-20 14:57:42 UTC 
This issue has been addressed in the following products:

  Red Hat OpenStack Platform 17.1

Via RHSA-2023:5971 https://access.redhat.com/errata/RHSA-2023:5971
Comment 25 errata-xmlrpc 2023-10-20 14:57:59 UTC 
This issue has been addressed in the following products:

  Red Hat OpenStack Platform 16.2

Via RHSA-2023:5964 https://access.redhat.com/errata/RHSA-2023:5964
Comment 26 errata-xmlrpc 2023-10-20 16:50:00 UTC 
This issue has been addressed in the following products:

  NETWORK-OBSERVABILITY-1.4.0-RHEL-9

Via RHSA-2023:5974 https://access.redhat.com/errata/RHSA-2023:5974
Comment 27 errata-xmlrpc 2023-10-20 17:18:46 UTC 
This issue has been addressed in the following products:

  STF-1.5-RHEL-8

Via RHSA-2023:5976 https://access.redhat.com/errata/RHSA-2023:5976
Comment 28 errata-xmlrpc 2023-10-23 14:24:46 UTC 
This issue has been addressed in the following products:

  Cryostat 2 on RHEL 8

Via RHSA-2023:6031 https://access.redhat.com/errata/RHSA-2023:6031
Comment 29 errata-xmlrpc 2023-10-24 15:32:38 UTC 
This issue has been addressed in the following products:

  Red Hat Openshift distributed tracing 2.9

Via RHSA-2023:6085 https://access.redhat.com/errata/RHSA-2023:6085
Comment 30 errata-xmlrpc 2023-10-25 14:02:02 UTC 
This issue has been addressed in the following products:

  OADP-1.1-RHEL-8

Via RHSA-2023:6115 https://access.redhat.com/errata/RHSA-2023:6115
Comment 31 errata-xmlrpc 2023-10-26 00:47:50 UTC 
This issue has been addressed in the following products:

  RODOO-1.0-RHEL-8

Via RHSA-2023:5947 https://access.redhat.com/errata/RHSA-2023:5947
Comment 32 errata-xmlrpc 2023-10-26 01:04:44 UTC 
This issue has been addressed in the following products:

  OSSO-1.1-RHEL-8

Via RHSA-2023:5933 https://access.redhat.com/errata/RHSA-2023:5933
Comment 33 errata-xmlrpc 2023-10-30 02:16:20 UTC 
This issue has been addressed in the following products:

  Red Hat Migration Toolkit for Containers 1.7

Via RHSA-2023:6161 https://access.redhat.com/errata/RHSA-2023:6161
Comment 34 errata-xmlrpc 2023-11-02 19:16:05 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Serverless 1.30

Via RHSA-2023:6296 https://access.redhat.com/errata/RHSA-2023:6296
Comment 35 errata-xmlrpc 2023-11-03 08:45:43 UTC 
This issue has been addressed in the following products:

  Openshift Serverless 1 on RHEL 8

Via RHSA-2023:6298 https://access.redhat.com/errata/RHSA-2023:6298
Comment 36 errata-xmlrpc 2023-11-15 01:08:33 UTC 
This issue has been addressed in the following products:

  CERT-MANAGER-1.11-RHEL-9

Via RHSA-2023:6279 https://access.redhat.com/errata/RHSA-2023:6279
Comment 37 errata-xmlrpc 2023-11-15 04:38:04 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.14

Via RHSA-2023:6840 https://access.redhat.com/errata/RHSA-2023:6840
Comment 38 errata-xmlrpc 2023-12-12 17:23:12 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2023:7762 https://access.redhat.com/errata/RHSA-2023:7762
Comment 39 errata-xmlrpc 2023-12-12 17:23:29 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2023:7763 https://access.redhat.com/errata/RHSA-2023:7763
Comment 40 errata-xmlrpc 2023-12-12 17:23:34 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2023:7764 https://access.redhat.com/errata/RHSA-2023:7764
Comment 41 errata-xmlrpc 2023-12-12 17:23:59 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2023:7766 https://access.redhat.com/errata/RHSA-2023:7766
Comment 42 errata-xmlrpc 2023-12-12 17:24:38 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2023:7765 https://access.redhat.com/errata/RHSA-2023:7765
Comment 43 errata-xmlrpc 2024-01-10 11:28:02 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2024:0121 https://access.redhat.com/errata/RHSA-2024:0121
Comment 45 errata-xmlrpc 2024-01-23 21:32:32 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.14

Via RHSA-2024:0293 https://access.redhat.com/errata/RHSA-2024:0293
Comment 46 errata-xmlrpc 2024-01-23 22:34:46 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.14

Via RHSA-2024:0292 https://access.redhat.com/errata/RHSA-2024:0292
Comment 47 errata-xmlrpc 2024-02-28 18:14:27 UTC 
This issue has been addressed in the following products:

  MTA-6.2-RHEL-9
  MTA-6.2-RHEL-8

Via RHSA-2024:1027 https://access.redhat.com/errata/RHSA-2024:1027
Note You need to log in before you can comment on or make changes to this bug.