Bug 1918750 (CVE-2021-3114) - CVE-2021-3114 golang: crypto/elliptic: incorrect operations on the P-224 curve [NEEDINFO]
Summary: CVE-2021-3114 golang: crypto/elliptic: incorrect operations on the P-224 curve
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2021-3114
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1921144 1921145 1921147 1926294 1926306 1918751 1918752 1918755 1919261 1919264 1921148 1925082 1926291 1926292 1926293 1926295 1926296 1926297 1926298 1926307 1926308 1926387 1926388 1926389 1926390 1926391 1926392 1926393 1926394 1926395 1926396 1926397 1926398 1926399 1926400 1926401 1926402 1926403 1926404 1926405 1926406 1926407 1926408 1926409 1926410 1926411 1926412 1926413 1926414 1926415 1926416 1926417 1926418 1926419 1926420 1926421 1926422 1926423 1926424 1926425 1926426 1926427 1926428 1926429 1926430 1926433 1926434 1926435 1926436 1926437 1926441 1926804 1926805 1926806 1926807 1926808 1926809 1926810 1926811 1926812 1926813 1926814 1926815 1926816 1926817 1926844 1926845 1926846 1926847 1926848 1926849 1929068 1929069 1929070 1929071 1929072 1929073 1929074 1929075 1929076 1929077 1929078 1929079 1929080 1929081 1929082 1929083 1929084 1929085 1929086 1929087 1929088 1929089 1929090 1929091 1929092 1929093 1929094 1929095 1929096 1929097 1929098 1929100 1930116 1930117 1930118 1930119 1930120 1930121 1930122 1930123 1930124 1930125 1930126 1930127 1930128 1930129 1930130 1930131 1930132 1930148 1930149 1930162 1942847 1956489 1956491 2004046
Blocks: 1918758
TreeView+ depends on / blocked
 
Reported: 2021-01-21 14:01 UTC by Michael Kaplan
Modified: 2023-02-07 17:07 UTC (History)
122 users (show)

Fixed In Version: go 1.15.7, go 1.14.14
Doc Type: If docs needed, set a value
Doc Text:
A flaw detected in golang: crypto/elliptic, in which P-224 keys as generated can return incorrect inputs, reducing the strength of the cryptography. The highest threat from this vulnerability is confidentiality and integrity.
Clone Of:
Environment:
Last Closed: 2021-03-30 05:35:09 UTC
krathod: needinfo? (hgomes)

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2021:2437 0 None None None 2021-07-27 22:07:27 UTC
Red Hat Product Errata RHSA-2021:2438 0 None None None 2021-07-27 22:31:43 UTC
Red Hat Product Errata RHSA-2021:2532 0 None None None 2021-06-23 15:38:08 UTC
Red Hat Product Errata RHSA-2021:2543 0 None None None 2021-06-24 15:20:01 UTC
Red Hat Product Errata RHSA-2021:2920 0 None None None 2021-07-27 14:20:04 UTC
Red Hat Product Errata RHSA-2021:3119 0 None None None 2021-08-10 17:33:43 UTC
Red Hat Product Errata RHSA-2021:3748 0 None None None 2021-10-07 14:17:50 UTC
Red Hat Product Errata RHSA-2021:4103 0 None None None 2021-11-02 13:31:41 UTC
Red Hat Product Errata RHSA-2021:4226 0 None None None 2021-11-09 17:48:40 UTC
Red Hat Product Errata RHSA-2022:0308 0 None None None 2022-01-27 13:12:06 UTC

Description Michael Kaplan 2021-01-21 14:01:43 UTC 
The crypto/x509 and golang.org/x/crypto/ocsp (but not crypto/tls) packages support P-224 ECDSA keys, but they are not supported by publicly trusted certificate authorities. No other standard library or golang.org/x/crypto package supports or uses the P-224 curve.
Comment 1 Michael Kaplan 2021-01-21 14:02:14 UTC 
Created golang tracking bugs for this issue:

Affects: epel-all [bug 1918752]
Affects: fedora-all [bug 1918751]
Comment 5 Sage McTaggart 2021-01-27 15:38:57 UTC 
https://go-review.googlesource.com/c/go/+/284779/ Upstream patch
Comment 6 Hardik Vyas 2021-01-29 12:50:38 UTC 
Upstream issue and commit:

https://github.com/golang/go/issues/43786
https://github.com/golang/go/commit/d95ca9138026cbe40e0857d76a81a16d03230871
Comment 7 Hardik Vyas 2021-01-29 12:50:58 UTC 
External References:

https://groups.google.com/g/golang-announce/c/mperVMGa98w
Comment 13 Przemyslaw Roguski 2021-02-08 18:46:34 UTC 
Statement:

OpenShift ServiceMesh (OSSM) 1.1 is Out Of Support Scope (OOSS) for Moderate and Low impact vulnerabilities because it is now in the Maintenance Phase of the support.
Comment 31 errata-xmlrpc 2021-03-30 04:19:57 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.7

Via RHSA-2021:0958 https://access.redhat.com/errata/RHSA-2021:0958
Comment 32 errata-xmlrpc 2021-03-30 04:46:27 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.7

Via RHSA-2021:0957 https://access.redhat.com/errata/RHSA-2021:0957
Comment 33 Product Security DevOps Team 2021-03-30 05:35:09 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2021-3114
Comment 34 errata-xmlrpc 2021-04-22 18:17:44 UTC 
This issue has been addressed in the following products:

  Openshift Serverless 1 on RHEL 8

Via RHSA-2021:1339 https://access.redhat.com/errata/RHSA-2021:1339
Comment 35 errata-xmlrpc 2021-04-22 19:07:39 UTC 
This issue has been addressed in the following products:

  Openshift Serveless 1.14

Via RHSA-2021:1338 https://access.redhat.com/errata/RHSA-2021:1338
Comment 36 errata-xmlrpc 2021-05-04 19:33:08 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.7

Via RHSA-2021:1366 https://access.redhat.com/errata/RHSA-2021:1366
Comment 37 Siddharth Sharma 2021-05-10 17:57:33 UTC 
This bug will be shipped as part of next z-stream release 4.7.11 on May 19th, as 4.7.10 was dropped due to a blocker https://bugzilla.redhat.com/show_bug.cgi?id=1958518.
Comment 40 errata-xmlrpc 2021-05-18 14:43:28 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2021:1746 https://access.redhat.com/errata/RHSA-2021:1746
Comment 41 errata-xmlrpc 2021-05-19 04:02:33 UTC 
This issue has been addressed in the following products:

  Openshift Serveless 1.10

Via RHSA-2021:2021 https://access.redhat.com/errata/RHSA-2021:2021
Comment 42 errata-xmlrpc 2021-05-19 09:14:48 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Storage 4.7.0 on RHEL-8

Via RHSA-2021:2041 https://access.redhat.com/errata/RHSA-2021:2041
Comment 43 errata-xmlrpc 2021-05-19 15:01:05 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.7

Via RHSA-2021:1551 https://access.redhat.com/errata/RHSA-2021:1551
Comment 44 errata-xmlrpc 2021-05-24 13:05:36 UTC 
This issue has been addressed in the following products:

  Openshift Serveless 1.14

Via RHSA-2021:2093 https://access.redhat.com/errata/RHSA-2021:2093
Comment 45 errata-xmlrpc 2021-05-24 16:05:28 UTC 
This issue has been addressed in the following products:

  Openshift Serverless 1 on RHEL 8

Via RHSA-2021:2095 https://access.redhat.com/errata/RHSA-2021:2095
Comment 47 errata-xmlrpc 2021-06-23 15:37:53 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Jaeger 1.17

Via RHSA-2021:2532 https://access.redhat.com/errata/RHSA-2021:2532
Comment 49 errata-xmlrpc 2021-06-24 15:19:46 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Jaeger 1.20

Via RHSA-2021:2543 https://access.redhat.com/errata/RHSA-2021:2543
Comment 50 errata-xmlrpc 2021-07-27 14:19:43 UTC 
This issue has been addressed in the following products:

  RHEL-8-CNV-4.8

Via RHSA-2021:2920 https://access.redhat.com/errata/RHSA-2021:2920
Comment 51 errata-xmlrpc 2021-07-27 22:07:25 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.8

Via RHSA-2021:2437 https://access.redhat.com/errata/RHSA-2021:2437
Comment 52 errata-xmlrpc 2021-07-27 22:31:41 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.8

Via RHSA-2021:2438 https://access.redhat.com/errata/RHSA-2021:2438
Comment 55 errata-xmlrpc 2021-08-10 17:33:37 UTC 
This issue has been addressed in the following products:

  RHEL-8-CNV-2.6

Via RHSA-2021:3119 https://access.redhat.com/errata/RHSA-2021:3119
Comment 57 errata-xmlrpc 2021-10-07 14:17:44 UTC 
This issue has been addressed in the following products:

  Red Hat Gluster Storage 3.5 for RHEL 7

Via RHSA-2021:3748 https://access.redhat.com/errata/RHSA-2021:3748
Comment 59 errata-xmlrpc 2021-11-02 13:31:35 UTC 
This issue has been addressed in the following products:

  RHEL-7-CNV-4.9
  RHEL-8-CNV-4.9

Via RHSA-2021:4103 https://access.redhat.com/errata/RHSA-2021:4103
Comment 60 errata-xmlrpc 2021-11-09 17:48:35 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2021:4226 https://access.redhat.com/errata/RHSA-2021:4226
Comment 61 errata-xmlrpc 2022-01-27 13:11:59 UTC 
This issue has been addressed in the following products:

  Red Hat Gluster Storage 3.5 for RHEL 7
  Native Client for RHEL 7 for Red Hat Storage

Via RHSA-2022:0308 https://access.redhat.com/errata/RHSA-2022:0308
Note You need to log in before you can comment on or make changes to this bug.