Описание
golang.org/x/crypto before v0.0.0-20200220183623-bac4c82f6975 for Go allows a panic during signature verification in the golang.org/x/crypto/ssh package. A client can attack an SSH server that accepts public keys. Also, a server can attack any SSH client.
A denial of service vulnerability was found in the SSH package of the golang.org/x/crypto library. An attacker could exploit this flaw by supplying crafted SSH ed25519 keys to cause a crash in applications that use this package as either an SSH client or server.
Отчет
OpenShift Container Platform uses the vulnerable library in a number of components but strictly as an SSH client. The severity of this vulnerability is reduced for clients as it requires connections to malicious SSH servers, with the maximum impact only a client crash. This vulnerability is rated Low for OpenShift Container Platform.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| OpenShift Service Mesh 1 | jaeger | Out of support scope | ||
| OpenShift Service Mesh 1 | jaeger-operator | Out of support scope | ||
| Red Hat Enterprise Linux 7 | gomtree | Not affected | ||
| Red Hat OpenShift Container Platform 3.11 | atomic-openshift | Will not fix | ||
| Red Hat OpenShift Container Platform 3.11 | atomic-openshift-cluster-autoscaler | Will not fix | ||
| Red Hat OpenShift Container Platform 3.11 | atomic-openshift-descheduler | Will not fix | ||
| Red Hat OpenShift Container Platform 3.11 | golang-github-openshift-oauth-proxy | Will not fix | ||
| Red Hat OpenShift Container Platform 3.11 | openshift-enterprise-cluster-capacity | Will not fix | ||
| Red Hat OpenShift Container Platform 4 | openshift4/ose-baremetal-installer-rhel8 | Fix deferred | ||
| Red Hat OpenShift Container Platform 4 | openshift4/ose-baremetal-machine-controllers | Fix deferred |
Показывать по
Дополнительная информация
Статус:
EPSS
7.5 High
CVSS3
Связанные уязвимости
golang.org/x/crypto before v0.0.0-20200220183623-bac4c82f6975 for Go allows a panic during signature verification in the golang.org/x/crypto/ssh package. A client can attack an SSH server that accepts public keys. Also, a server can attack any SSH client.
golang.org/x/crypto before v0.0.0-20200220183623-bac4c82f6975 for Go allows a panic during signature verification in the golang.org/x/crypto/ssh package. A client can attack an SSH server that accepts public keys. Also, a server can attack any SSH client.
golang.org/x/crypto before v0.0.0-20200220183623-bac4c82f6975 for Go a ...
Improper Verification of Cryptographic Signature in golang.org/x/crypto
EPSS
7.5 High
CVSS3