Описание
The golang.org/x/crypto/ssh package before 0.0.0-20220314234659-1baeb1ce4c0b for Go allows an attacker to crash a server in certain circumstances involving AddHostKey.
A broken cryptographic algorithm flaw was found in golang.org/x/crypto/ssh. This issue causes a client to fail authentication with RSA keys to servers that reject signature algorithms based on SHA-2, enabling an attacker to crash the server, resulting in a loss of availability.
Отчет
In OpenShift Container Platform (OCP) the vulnerable golang.org/x/crypto/ssh package is bundled in many components. The affected code is in the SSH server portion that is not used, hence the impact by this vulnerability is reduced. Additionally the OCP installer components, that also bundle vulnerable golang.org/x/crypto/ssh package, are used only during the cluster installation process, hence for already deployed and running OCP clusters the installer components are considered as affected by this vulnerability but not impacted.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Migration Toolkit for Containers | cpma | Affected | ||
| Migration Toolkit for Containers | rhmtc/openshift-migration-controller-rhel8 | Affected | ||
| Migration Toolkit for Containers | rhmtc/openshift-migration-velero-rhel8 | Affected | ||
| OpenShift Developer Tools and Services | odo | Will not fix | ||
| OpenShift Service Mesh 2.0 | servicemesh | Will not fix | ||
| Red Hat Advanced Cluster Management for Kubernetes 2 | rhacm2/agent-service-rhel8 | Not affected | ||
| Red Hat Advanced Cluster Management for Kubernetes 2 | rhacm2/multicluster-operators-subscription-release-rhel8 | Affected | ||
| Red Hat Advanced Cluster Management for Kubernetes 2 | rhacm2/multicluster-operators-subscription-rhel8 | Affected | ||
| Red Hat Advanced Cluster Management for Kubernetes 2 | rhacm2/openshift-hive-rhel8 | Affected | ||
| Red Hat Advanced Cluster Management for Kubernetes 2 | rhacm2/volsync-mover-rclone-rhel8 | Affected |
Показывать по
Дополнительная информация
Статус:
EPSS
7.5 High
CVSS3
Связанные уязвимости
The golang.org/x/crypto/ssh package before 0.0.0-20220314234659-1baeb1ce4c0b for Go allows an attacker to crash a server in certain circumstances involving AddHostKey.
The golang.org/x/crypto/ssh package before 0.0.0-20220314234659-1baeb1ce4c0b for Go allows an attacker to crash a server in certain circumstances involving AddHostKey.
The golang.org/x/crypto/ssh package before 0.0.0-20220314234659-1baeb1 ...
golang.org/x/crypto/ssh Denial of service via crafted Signer
Уязвимость компонента golang.org/x/crypto/ssh библиотеки для языка программирования Go crypto, позволяющая нарушителю вызывать отказ в обслуживании
EPSS
7.5 High
CVSS3