Описание
Validating certificate chains which contain DSA public keys can cause programs to panic, due to a interface cast that assumes they implement the Equal method. This affects programs which validate arbitrary certificate chains.
A denial of service vector has been discovered in the golang crypto/x509 module. An attacker could craft an intermediate X.509 certificate containing a DSA public key and can crash a remote host with an unauthenticated call to any endpoint that verifies the certificate chain.
Отчет
Availability impacts are limited on Red Hat products as they do not affect the host systems.
Меры по смягчению последствий
Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Assisted Installer for Red Hat OpenShift Container Platform 2 | rhai/assisted-installer-rhel9 | Under investigation | ||
| Builds for Red Hat OpenShift | openshift-builds/openshift-builds-waiters-rhel9 | Under investigation | ||
| cert-manager Operator for Red Hat OpenShift | cert-manager/jetstack-cert-manager-rhel9 | Under investigation | ||
| Compliance Operator | compliance/openshift-compliance-operator-bundle | Under investigation | ||
| Confidential Compute Attestation | build-of-trustee/trustee-rhel9-operator | Under investigation | ||
| Confidential Compute Attestation | openshift-sandboxed-containers/osc-monitor-rhel9 | Under investigation | ||
| Cryostat 4 | cryostat/cryostat-storage-rhel9 | Under investigation | ||
| Custom Metric Autoscaler operator for Red Hat Openshift | custom-metrics-autoscaler/custom-metrics-autoscaler-rhel9 | Under investigation | ||
| Deployment Validation Operator | dvo/deployment-validation-rhel8-operator | Under investigation | ||
| ExternalDNS Operator | edo/external-dns-rhel8 | Under investigation |
Показывать по
Ссылки на источники
Дополнительная информация
Статус:
EPSS
5.3 Medium
CVSS3
Связанные уязвимости
Validating certificate chains which contain DSA public keys can cause programs to panic, due to a interface cast that assumes they implement the Equal method. This affects programs which validate arbitrary certificate chains.
Validating certificate chains which contain DSA public keys can cause programs to panic, due to a interface cast that assumes they implement the Equal method. This affects programs which validate arbitrary certificate chains.
Panic when validating certificates with DSA public keys in crypto/x509
Validating certificate chains which contain DSA public keys can cause ...
Validating certificate chains which contain DSA public keys can cause programs to panic, due to a interface cast that assumes they implement the Equal method. This affects programs which validate arbitrary certificate chains.
EPSS
5.3 Medium
CVSS3