Описание
Non-random values for ticket_age_add in session tickets in crypto/tls before Go 1.17.11 and Go 1.18.3 allow an attacker that can observe TLS handshakes to correlate successive connections by comparing ticket ages during session resumption.
A flaw was found in the crypto/tls golang package. When session tickets are generated by crypto/tls, it is missing the ticket expiration. This issue may allow an attacker to observe the TLS handshakes to correlate successive connections during session resumption.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Migration Toolkit for Containers | cpma | Fix deferred | ||
| Migration Toolkit for Virtualization | migration-toolkit-virtualization/mtv-controller-rhel9 | Affected | ||
| Migration Toolkit for Virtualization | migration-toolkit-virtualization/mtv-must-gather-api-rhel8 | Affected | ||
| mirror registry for Red Hat OpenShift | mirror-registry-container | Affected | ||
| OpenShift Developer Tools and Services | helm | Affected | ||
| OpenShift Developer Tools and Services | odo | Affected | ||
| OpenShift Pipelines | openshift-pipelines-client | Affected | ||
| OpenShift Serverless | openshift-serverless-1-eventing-kafka-channel-webhook-rhel8-container | Fix deferred | ||
| OpenShift Service Mesh 2.0 | ior | Affected | ||
| OpenShift Service Mesh 2.0 | kiali | Affected |
Показывать по
Дополнительная информация
Статус:
EPSS
3.1 Low
CVSS3
Связанные уязвимости
Non-random values for ticket_age_add in session tickets in crypto/tls before Go 1.17.11 and Go 1.18.3 allow an attacker that can observe TLS handshakes to correlate successive connections by comparing ticket ages during session resumption.
Non-random values for ticket_age_add in session tickets in crypto/tls before Go 1.17.11 and Go 1.18.3 allow an attacker that can observe TLS handshakes to correlate successive connections by comparing ticket ages during session resumption.
Session tickets lack random ticket_age_add in crypto/tls
Non-random values for ticket_age_add in session tickets in crypto/tls ...
Non-random values for ticket_age_add in session tickets in crypto/tls before Go 1.17.11 and Go 1.18.3 allow an attacker that can observe TLS handshakes to correlate successive connections by comparing ticket ages during session resumption.
EPSS
3.1 Low
CVSS3