Описание
Уязвимость функции ticket_age_add языка программирования Go связана с использованием недостаточно случайных значений. Эксплуатация уязвимости может позволить нарушителю, действующему удаленно, нарушителю получить несанкционированный доступ к идентификаторам сеанса
Вендор
Red Hat Inc.
Novell Inc.
Сообщество свободного программного обеспечения
Canonical Ltd.
Fedora Project
ООО «Ред Софт»
The Go Project
Наименование ПО
Red Hat Enterprise Linux
OpenSUSE Leap
Debian GNU/Linux
Red Hat Software Collections
openSUSE Tumbleweed
Ubuntu
Red Hat Quay
Red Hat 3scale API Management Platform
Fedora
РЕД ОС
SUSE Linux Enterprise High Performance Computing
Suse Linux Enterprise Server
SUSE Linux Enterprise Server for SAP Applications
SUSE Manager Proxy
SUSE Manager Server
Suse Linux Enterprise Desktop
Red Hat Openshift Data Foundation
SUSE Linux Enterprise Module for Development Tools
Red Hat Advanced Cluster Management for Kubernetes
Red Hat OpenShift GitOps
Red Hat OpenShift Container Platform
Red Hat Openshift Container Storage
SUSE Manager Retail Branch Server
Red Hat OpenStack Platform
SUSE Enterprise Storage
Red Hat Web Terminal
Service Telemetry Framework
OpenShift Developer Tools and Services
SUSE Linux Enterprise Real Time
Red Hat Ceph Storage
Red Hat OpenShift on AWS
Migration Toolkit for Virtualization
Red Hat OpenShift Virtualization
OpenShift Serverless
Red Hat Ansible Automation Platform
Red Hat Developer Tools
Red Hat Advanced Cluster Security
Migration Toolkit for Containers
OpenShift Pipelines
Openshift Service Mesh
SUSE Liberty Linux
Go
multicluster engine for Kubernetes
OpenShift API for Data Protection
OpenShift Secondary Scheduler Operator
Red Hat OpenShift distributed tracing
Версия ПО
7 (Red Hat Enterprise Linux)
15.5 (OpenSUSE Leap)
8 (Red Hat Enterprise Linux)
10 (Debian GNU/Linux)
- (Red Hat Software Collections)
- (openSUSE Tumbleweed)
20.04 LTS (Ubuntu)
3 (Red Hat Quay)
2 (Red Hat 3scale API Management Platform)
16.04 ESM (Ubuntu)
15.3 (OpenSUSE Leap)
11 (Debian GNU/Linux)
35 (Fedora)
7.3 (РЕД ОС)
15.4 (OpenSUSE Leap)
15 SP3 (SUSE Linux Enterprise High Performance Computing)
15 SP3 (Suse Linux Enterprise Server)
15 SP3 (SUSE Linux Enterprise Server for SAP Applications)
4.2 (SUSE Manager Proxy)
4.2 (SUSE Manager Server)
15 SP3 (Suse Linux Enterprise Desktop)
4 (Red Hat Openshift Data Foundation)
15 SP3 (SUSE Linux Enterprise Module for Development Tools)
2 (Red Hat Advanced Cluster Management for Kubernetes)
36 (Fedora)
- (Red Hat OpenShift GitOps)
15 SP4 (Suse Linux Enterprise Server)
4 (Red Hat OpenShift Container Platform)
15 SP4 (Suse Linux Enterprise Desktop)
15 SP4 (SUSE Linux Enterprise Server for SAP Applications)
4 (Red Hat Openshift Container Storage)
4.2 (SUSE Manager Retail Branch Server)
22.04 LTS (Ubuntu)
9 (Red Hat Enterprise Linux)
16.2 (Red Hat OpenStack Platform)
4.3 (SUSE Manager Retail Branch Server)
4.3 (SUSE Manager Proxy)
4.3 (SUSE Manager Server)
15 SP4 (SUSE Linux Enterprise High Performance Computing)
7.1 (SUSE Enterprise Storage)
15 SP4 (SUSE Linux Enterprise Module for Development Tools)
- (Red Hat Web Terminal)
1.3 for RHEL 8 (Service Telemetry Framework)
1.4 for RHEL 8 (Service Telemetry Framework)
- (OpenShift Developer Tools and Services)
15 SP3-LTSS (Suse Linux Enterprise Server)
16.1 (Red Hat OpenStack Platform)
15 SP3-ESPOS (SUSE Linux Enterprise High Performance Computing)
15 SP3-LTSS (SUSE Linux Enterprise High Performance Computing)
15 SP3 (SUSE Linux Enterprise Real Time)
5 (Red Hat Ceph Storage)
- (Red Hat OpenShift on AWS)
- (Migration Toolkit for Virtualization)
4 (Red Hat OpenShift Virtualization)
- (OpenShift Serverless)
2 (Red Hat Ansible Automation Platform)
18.04 ESM (Ubuntu)
6.1 (Red Hat Ceph Storage)
4.11 (Red Hat OpenShift Container Platform)
- (Red Hat Developer Tools)
2 (Red Hat OpenShift Virtualization)
3 (Red Hat Advanced Cluster Security)
1.2 (Red Hat Ansible Automation Platform)
- (Migration Toolkit for Containers)
- (OpenShift Pipelines)
2.1 (Openshift Service Mesh)
9 (SUSE Liberty Linux)
8 (SUSE Liberty Linux)
до 1.17.11 (Go)
от 1.18.0 до 1.18.3 (Go)
2.1 for RHEL 8 (multicluster engine for Kubernetes)
1.1 for RHEL 8 (OpenShift API for Data Protection)
1.0 for RHEL 8 (OpenShift API for Data Protection)
1.24 (OpenShift Serverless)
1 on RHEL 8 (OpenShift Serverless)
1.1 for RHEL 8 (OpenShift Secondary Scheduler Operator)
2.4 for RHEL 8 (Red Hat Advanced Cluster Management for Kubernetes)
2.6 for RHEL 8 (Red Hat Advanced Cluster Management for Kubernetes)
2.5 for RHEL 8 (Red Hat Advanced Cluster Management for Kubernetes)
2.7 for RHEL 8 (Red Hat Advanced Cluster Management for Kubernetes)
1.7 (Migration Toolkit for Containers)
2.0 (Openshift Service Mesh)
2 (Red Hat OpenShift distributed tracing)
Тип ПО
Операционная система
Прикладное ПО информационных систем
Сетевое средство
ПО программно-аппаратного средства
ПО виртуализации/ПО виртуального программно-аппаратного средства
Сетевое программное средство
Операционные системы и аппаратные платформы
Red Hat Inc. Red Hat Enterprise Linux 7
Novell Inc. OpenSUSE Leap 15.5
Red Hat Inc. Red Hat Enterprise Linux 8
Сообщество свободного программного обеспечения Debian GNU/Linux 10
Novell Inc. openSUSE Tumbleweed -
Canonical Ltd. Ubuntu 20.04 LTS
Canonical Ltd. Ubuntu 16.04 ESM
Novell Inc. OpenSUSE Leap 15.3
Сообщество свободного программного обеспечения Debian GNU/Linux 11
Fedora Project Fedora 35
ООО «Ред Софт» РЕД ОС 7.3
Novell Inc. OpenSUSE Leap 15.4
Novell Inc. Suse Linux Enterprise Server 15 SP3
Novell Inc. SUSE Linux Enterprise Server for SAP Applications 15 SP3
Novell Inc. Suse Linux Enterprise Desktop 15 SP3
Fedora Project Fedora 36
Novell Inc. Suse Linux Enterprise Server 15 SP4
Novell Inc. Suse Linux Enterprise Desktop 15 SP4
Novell Inc. SUSE Linux Enterprise Server for SAP Applications 15 SP4
Canonical Ltd. Ubuntu 22.04 LTS
Red Hat Inc. Red Hat Enterprise Linux 9
Novell Inc. Suse Linux Enterprise Server 15 SP3-LTSS
Novell Inc. SUSE Linux Enterprise Real Time 15 SP3
Canonical Ltd. Ubuntu 18.04 ESM
Novell Inc. SUSE Liberty Linux 9
Novell Inc. SUSE Liberty Linux 8
Уровень опасности уязвимости
Низкий уровень опасности (базовая оценка CVSS 2.0 составляет 2,6)
Низкий уровень опасности (базовая оценка CVSS 3.0 составляет 3,1)
Возможные меры по устранению уязвимости
Использование рекомендаций:
Для Go:
https://go-review.googlesource.com/c/go/+/405994
https://go.googlesource.com/go/+/fe4de36198794c447fbd9d7cc2d7199a506c76a5
https://pkg.go.dev/vuln/GO-2022-0531
Для РедОС:
http://repo.red-soft.ru/redos/7.3c/x86_64/updates/
Для Debian GNU/Linux:
https://security-tracker.debian.org/tracker/CVE-2022-30629
Для программных продуктов Red Hat Inc.:
https://access.redhat.com/security/cve/CVE-2022-30629
Для Ubuntu:
https://ubuntu.com/security/notices/USN-6038-1
https://ubuntu.com/security/notices/USN-6038-2
Для программных продуктов Novell Inc.:
https://www.suse.com/security/cve/CVE-2022-30629.html
Для Fedora:
https://lists.fedoraproject.org/archives/search?mlist=package-announce%40lists.fedoraproject.org&q=2022-30629
Статус уязвимости
Подтверждена производителем
Наличие эксплойта
Существует в открытом доступе
Информация об устранении
Уязвимость устранена
Ссылки на источники
Идентификаторы других систем описаний уязвимостей
- CVE
EPSS
Процентиль: 21%
0.00068
Низкий
3.1 Low
CVSS3
2.6 Low
CVSS2
Связанные уязвимости
CVSS3: 3.1
ubuntu
больше 3 лет назад
Non-random values for ticket_age_add in session tickets in crypto/tls before Go 1.17.11 and Go 1.18.3 allow an attacker that can observe TLS handshakes to correlate successive connections by comparing ticket ages during session resumption.
CVSS3: 3.1
redhat
больше 3 лет назад
Non-random values for ticket_age_add in session tickets in crypto/tls before Go 1.17.11 and Go 1.18.3 allow an attacker that can observe TLS handshakes to correlate successive connections by comparing ticket ages during session resumption.
CVSS3: 3.1
nvd
больше 3 лет назад
Non-random values for ticket_age_add in session tickets in crypto/tls before Go 1.17.11 and Go 1.18.3 allow an attacker that can observe TLS handshakes to correlate successive connections by comparing ticket ages during session resumption.
CVSS3: 3.1
msrc
больше 3 лет назад
Session tickets lack random ticket_age_add in crypto/tls
CVSS3: 3.1
debian
больше 3 лет назад
Non-random values for ticket_age_add in session tickets in crypto/tls ...
EPSS
Процентиль: 21%
0.00068
Низкий
3.1 Low
CVSS3
2.6 Low
CVSS2