Описание
A nil pointer dereference in the golang.org/x/crypto/ssh component through v0.0.0-20201203163018-be400aefbc4c for Go allows remote attackers to cause a denial of service against SSH servers.
A null pointer dereference vulnerability was found in golang. When using the library's ssh server without specifying an option for GSSAPIWithMICConfig, it is possible for an attacker to craft an ssh client connection using the gssapi-with-mic authentication method and cause the server to panic resulting in a denial of service. The highest threat from this vulnerability is to system availability.
Отчет
A large number of products include the affected package, but do not make use of the vulnerable SSH server code. Accordingly, the flaw itself is rated as "Important", but these products themselves all have a "Low" severity rating.
Additionally, a number of products include golang.org/x/crypto (or even golang.org/x/crypto/ssh/terminal) but not specifically golang.org/x/crypto/ssh/server.go in the final build. As this would result in a very large number of entries of not affected products, only products which include the ssh server code (golang.org/x/crypto/ssh/server.go) have been represented here.
Red Hat Enterprise Linux 8 container-tools:rhel8/containernetworking-plugins is not affected because although it uses some functionality from golang.org/x/crypto, it does not use or import anything from golang.org/x/crypto/ssh/*.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| OpenShift Service Mesh 2.0 | 3scale-istio-adapter-rhel8-container | Will not fix | ||
| OpenShift Service Mesh 2.0 | servicemesh | Will not fix | ||
| OpenShift Service Mesh 2.0 | servicemesh-cni | Will not fix | ||
| Red Hat Advanced Cluster Management for Kubernetes 2 | rhacm2/multicluster-operators-subscription-release-rhel8 | Affected | ||
| Red Hat Advanced Cluster Management for Kubernetes 2 | rhacm2/multicluster-operators-subscription-rhel8 | Affected | ||
| Red Hat Enterprise Linux 7 | gomtree | Out of support scope | ||
| Red Hat Fuse 7 | crypto/ssh | Fix deferred | ||
| Red Hat OpenShift Container Platform 3.11 | atomic-openshift | Fix deferred | ||
| Red Hat OpenShift Container Platform 3.11 | atomic-openshift-cluster-autoscaler | Fix deferred | ||
| Red Hat OpenShift Container Platform 3.11 | atomic-openshift-descheduler | Fix deferred |
Показывать по
Дополнительная информация
Статус:
7.5 High
CVSS3
Связанные уязвимости
A nil pointer dereference in the golang.org/x/crypto/ssh component through v0.0.0-20201203163018-be400aefbc4c for Go allows remote attackers to cause a denial of service against SSH servers.
A nil pointer dereference in the golang.org/x/crypto/ssh component through v0.0.0-20201203163018-be400aefbc4c for Go allows remote attackers to cause a denial of service against SSH servers.
A nil pointer dereference in the golang.org/x/crypto/ssh component thr ...
golang.org/x/crypto/ssh NULL Pointer Dereference vulnerability
Уязвимость компонента golang.org/x/crypto/ssh библиотеки для языка программирования Go crypto, позволяющая нарушителю вызывать отказ в обслуживании SSH-серверов
7.5 High
CVSS3