Bug 1897635 (CVE-2020-28362) - CVE-2020-28362 golang: math/big: panic during recursive division of very large numbers
Summary: CVE-2020-28362 golang: math/big: panic during recursive division of very larg...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2020-28362
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1897636 1897637 Red Hat1898659 Red Hat1898660 Red Hat1898820 Red Hat1898829 Red Hat1898835 Red Hat1898955 Red Hat1899185 Red Hat1902915 Red Hat1902916 Red Hat1902917 Red Hat1902918 Red Hat1902919 Red Hat1902920 Red Hat1902921 Red Hat1902922 Red Hat1902923 Red Hat1902924 Red Hat1902926 Red Hat1902927 Red Hat1902928 Red Hat1905509 Red Hat1905510 Red Hat1905511 Red Hat1905512 Red Hat1905513 Red Hat1905514 Red Hat1905515 Red Hat1905516 Red Hat1905517 Red Hat1905518 Red Hat1905520 Red Hat1905521 Red Hat1905522 Red Hat1905523 Red Hat1905524 Red Hat1905525 Red Hat1905526 Red Hat1905527 Red Hat1905528 Red Hat1905529 Red Hat1905530 Red Hat1905531 Red Hat1905533 Red Hat1905534 Red Hat1905535 Red Hat1905536 Red Hat1905537 Red Hat1905538 Red Hat1905539 Red Hat1905540 Red Hat1906015 Red Hat1906016 Red Hat1906017 Red Hat1906018 Red Hat1906019 Red Hat1906020 Red Hat1913515 Red Hat1914054 Red Hat1914055 Red Hat1914058 Red Hat1914059 Red Hat1916004 Red Hat1916187 Red Hat1916953 Red Hat1934654 Red Hat1934655 Red Hat1934657 Red Hat1934658 Red Hat1934659 Red Hat1934660 Red Hat1934661 Red Hat1934662 Red Hat1934663 Red Hat1935187 Red Hat1935188 Red Hat1935189 Red Hat1935190 Red Hat1935191 Red Hat1935192 Red Hat1935200 Red Hat1935203
Blocks: Embargoed1897651
TreeView+ depends on / blocked
 
Reported: 2020-11-13 17:02 UTC by Guilherme de Almeida Suckevicz
Modified: 2023-02-07 17:07 UTC (History)
101 users (show)

See Also:
Fixed In Version: go 1.15.5, go 1.14.12
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the math/big package of Go's standard library that causes a denial of service. Applications written in Go that use math/big via cryptographic packages, including crypto/rsa and crypto/x509, are vulnerable and can potentially cause panic via a crafted certificate chain. The highest threat from this vulnerability is to system availability.
Clone Of:
Environment:
Last Closed: 2020-12-15 22:19:14 UTC

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2020:5333 0 None None None 2020-12-03 11:19:27 UTC
Red Hat Product Errata RHSA-2020:5493 0 None None None 2020-12-15 17:06:29 UTC
Red Hat Product Errata RHSA-2020:5633 0 None None None 2021-02-24 15:10:28 UTC
Red Hat Product Errata RHSA-2021:0037 0 None None None 2021-01-18 17:57:15 UTC
Red Hat Product Errata RHSA-2021:0038 0 None None None 2021-01-18 16:03:21 UTC
Red Hat Product Errata RHSA-2021:0039 0 None None None 2021-01-18 17:34:16 UTC
Red Hat Product Errata RHSA-2021:0145 0 None None None 2021-01-14 13:38:57 UTC
Red Hat Product Errata RHSA-2021:0146 0 None None None 2021-01-14 16:30:46 UTC
Red Hat Product Errata RHSA-2021:0436 0 None None None 2021-02-16 13:16:35 UTC
Red Hat Product Errata RHSA-2021:0568 0 None None None 2021-02-16 09:18:54 UTC
Red Hat Product Errata RHSA-2021:0799 0 None None None 2021-03-10 11:15:54 UTC
Red Hat Product Errata RHSA-2021:2532 0 None None None 2021-06-23 15:38:04 UTC
Red Hat Product Errata RHSA-2021:2543 0 None None None 2021-06-24 15:19:58 UTC

Description Guilherme de Almeida Suckevicz 2020-11-13 17:02:38 UTC 
A number of math/big.Int methods (Div, Exp, DivMod, Quo, Rem, QuoRem, Mod, ModInverse, ModSqrt, Jacobi, and GCD) can panic when provided crafted large inputs. For the panic to happen, the divisor or modulo argument must be larger than 3168 bits (on 32-bit architectures) or 6336 bits (on 64-bit architectures). Multiple math/big.Rat methods are similarly affected.

References:
https://groups.google.com/g/golang-announce/c/NpBGTTmKzpM/m/fLguyiM2CAAJ
https://github.com/golang/go/issues/42552
Comment 1 Guilherme de Almeida Suckevicz 2020-11-13 17:03:16 UTC 
Created golang tracking bugs for this issue:

Affects: epel-all [bug 1897637]
Affects: fedora-all [bug 1897636]
Comment 3 Przemyslaw Roguski 2020-11-19 16:12:48 UTC 
Upstream commit with fix:
https://github.com/golang/go/commit/1e1fa5903b760c6714ba17e50bf850b01f49135c
Comment 12 errata-xmlrpc 2020-12-03 11:19:46 UTC 
This issue has been addressed in the following products:

  Red Hat Developer Tools

Via RHSA-2020:5333 https://access.redhat.com/errata/RHSA-2020:5333
Comment 23 Sage McTaggart 2020-12-15 15:13:48 UTC 
Statement:

OpenShift ServiceMesh (OSSM) 1.1 is Out Of Support Scope (OOSS) for Moderate and Low impact vulnerabilities because it is now in the Maintenance Phase of the support.
Openshift Virtualization 1 (formerly Container Native Virtualization) is Out Of Support Scope (OOSS) for Moderate and Low impact vulnerabilities.

Red Hat Gluster Storage 3 shipped multi-cloud-object-gateway-cli and noobaa-operator container as a technical preview and is not currently planned to be addressed in future updates.

OpenShift Container Platform (OCP) 4.5 and earlier are built with Go versions earlier than 1.14, which are not affected by this vulnerability. OCP 4.6 is built with Go 1.15 and is affected.
Comment 24 errata-xmlrpc 2020-12-15 17:06:20 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2020:5493 https://access.redhat.com/errata/RHSA-2020:5493
Comment 25 Product Security DevOps Team 2020-12-15 22:19:14 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-28362
Comment 26 errata-xmlrpc 2021-01-14 13:38:53 UTC 
This issue has been addressed in the following products:

  Openshift Serverless 1 on RHEL 8

Via RHSA-2021:0145 https://access.redhat.com/errata/RHSA-2021:0145
Comment 27 errata-xmlrpc 2021-01-14 16:31:20 UTC 
This issue has been addressed in the following products:

  Openshift Serveless 1.12

Via RHSA-2021:0146 https://access.redhat.com/errata/RHSA-2021:0146
Comment 28 errata-xmlrpc 2021-01-18 16:03:56 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.6

Via RHSA-2021:0038 https://access.redhat.com/errata/RHSA-2021:0038
Comment 29 errata-xmlrpc 2021-01-18 17:34:13 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.6

Via RHSA-2021:0039 https://access.redhat.com/errata/RHSA-2021:0039
Comment 30 errata-xmlrpc 2021-01-18 17:57:09 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.6

Via RHSA-2021:0037 https://access.redhat.com/errata/RHSA-2021:0037
Comment 31 errata-xmlrpc 2021-02-16 09:18:42 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.6

Via RHSA-2021:0568 https://access.redhat.com/errata/RHSA-2021:0568
Comment 32 errata-xmlrpc 2021-02-16 13:16:29 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.6

Via RHSA-2021:0436 https://access.redhat.com/errata/RHSA-2021:0436
Comment 35 errata-xmlrpc 2021-02-24 15:10:22 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.7

Via RHSA-2020:5633 https://access.redhat.com/errata/RHSA-2020:5633
Comment 40 errata-xmlrpc 2021-03-10 11:15:46 UTC 
This issue has been addressed in the following products:

  RHEL-8-CNV-2.6

Via RHSA-2021:0799 https://access.redhat.com/errata/RHSA-2021:0799
Comment 41 errata-xmlrpc 2021-05-04 19:33:02 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.7

Via RHSA-2021:1366 https://access.redhat.com/errata/RHSA-2021:1366
Comment 42 Siddharth Sharma 2021-05-10 17:54:13 UTC 
This bug will be shipped as part of next z-stream release 4.7.11 on May 19th, as 4.7.10 was dropped.
Comment 43 Siddharth Sharma 2021-05-10 17:57:19 UTC 
This bug will be shipped as part of next z-stream release 4.7.11 on May 19th, as 4.7.10 was dropped due to a blocker https://bugzilla.redhat.com/show_bug.cgi?id=1958518.
Comment 45 errata-xmlrpc 2021-05-19 09:14:40 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Storage 4.7.0 on RHEL-8

Via RHSA-2021:2041 https://access.redhat.com/errata/RHSA-2021:2041
Comment 46 errata-xmlrpc 2021-05-19 10:23:11 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Storage 4.7.0 on RHEL-8

Via RHSA-2021:2042 https://access.redhat.com/errata/RHSA-2021:2042
Comment 47 errata-xmlrpc 2021-05-19 15:00:59 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.7

Via RHSA-2021:1551 https://access.redhat.com/errata/RHSA-2021:1551
Comment 49 errata-xmlrpc 2021-06-23 15:37:51 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Jaeger 1.17

Via RHSA-2021:2532 https://access.redhat.com/errata/RHSA-2021:2532
Comment 50 errata-xmlrpc 2021-06-24 15:19:45 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Jaeger 1.20

Via RHSA-2021:2543 https://access.redhat.com/errata/RHSA-2021:2543
Note You need to log in before you can comment on or make changes to this bug.