An attacker can craft an ssh-ed25519 or sk-ssh-ed25519 public key, such that the library will panic when trying to verify a signature with it. Clients can deliver such a public key and signature to any golang.org/x/crypto/ssh server with a PublicKeyCallback, and servers can deliver them to any golang.org/x/crypto/ssh client. Reference: https://groups.google.com/forum/#!topic/kubernetes-security-discuss/s15RxeNdBLc
External Reference: https://groups.google.com/forum/#!topic/golang-announce/3L45YRc91SY
Upstream Fix: https://github.com/golang/crypto/commit/bac4c82f69751a6dd76e702d54b3ceb88adab236
Statement: OpenShift Container Platform uses the vulnerable library in a number of components but strictly as an SSH client. The severity of this vulnerability is reduced for clients as it requires connections to malicious SSH servers, with the maximum impact only a client crash. This vulnerability is rated Low for OpenShift Container Platform.
This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.4 Via RHSA-2020:2790 https://access.redhat.com/errata/RHSA-2020:2790
This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.4 Via RHSA-2020:2793 https://access.redhat.com/errata/RHSA-2020:2793
This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.4 Via RHSA-2020:2789 https://access.redhat.com/errata/RHSA-2020:2789
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2020-9283
This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.5 Via RHSA-2020:2412 https://access.redhat.com/errata/RHSA-2020:2412
This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.4 Via RHSA-2020:2878 https://access.redhat.com/errata/RHSA-2020:2878
This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.4 Via RHSA-2020:3078 https://access.redhat.com/errata/RHSA-2020:3078
This issue has been addressed in the following products: Jaeger-1.17 Via RHSA-2020:3370 https://access.redhat.com/errata/RHSA-2020:3370
This issue has been addressed in the following products: OpenShift Service Mesh 1.1 Openshift Service Mesh 1.1 Via RHSA-2020:3369 https://access.redhat.com/errata/RHSA-2020:3369
This issue has been addressed in the following products: OpenShift Service Mesh 1.0 Via RHSA-2020:3372 https://access.redhat.com/errata/RHSA-2020:3372
This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.5 Via RHSA-2020:3414 https://access.redhat.com/errata/RHSA-2020:3414
This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.3 Via RHSA-2020:3809 https://access.redhat.com/errata/RHSA-2020:3809
This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.3 Via RHSA-2020:4264 https://access.redhat.com/errata/RHSA-2020:4264
This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.6 Via RHSA-2020:4298 https://access.redhat.com/errata/RHSA-2020:4298
This issue has been addressed in the following products: RHEL-8-CNV-2.6 Via RHSA-2021:0799 https://access.redhat.com/errata/RHSA-2021:0799
This issue has been addressed in the following products: 3scale API Management Via RHSA-2021:1129 https://access.redhat.com/errata/RHSA-2021:1129