{ "threat_severity" : "Moderate", "public_date" : "2018-12-13T20:00:00Z", "bugzilla" : { "description" : "golang: crypto/x509 allows for denial of service via crafted TLS client certificate", "id" : "1657565", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=1657565" }, "cvss3" : { "cvss3_base_score" : "7.5", "cvss3_scoring_vector" : "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "status" : "draft" }, "cwe" : "CWE-20", "details" : [ "The crypto/x509 package of Go before 1.10.6 and 1.11.x before 1.11.3 does not limit the amount of work performed for each chain verification, which might allow attackers to craft pathological inputs leading to a CPU denial of service. Go TLS servers accepting client certificates and TLS clients are affected." ], "statement" : "This issue affects the version of golang package in Red Hat Enterprise Linux 7. The golang package, previously available in the Optional channel, will no longer receive updates in Red Hat Enterprise Linux 7. Developers are encouraged to use the Go Toolset instead, which is available through the Red Hat Developer program. https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/7.6_release_notes/chap-red_hat_enterprise_linux-7.6_release_notes-deprecated_functionality_in_rhel7#idm139716309923696", "acknowledgement" : "Red Hat would like to thank Dmitri Shuralyov (the Go team) for reporting this issue.", "package_state" : [ { "product_name" : "Red Hat Ceph Storage 2", "fix_state" : "Will not fix", "package_name" : "golang", "cpe" : "cpe:/a:redhat:ceph_storage:2" }, { "product_name" : "Red Hat Ceph Storage 3", "fix_state" : "Affected", "package_name" : "golang", "cpe" : "cpe:/a:redhat:ceph_storage:3" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Will not fix", "package_name" : "golang", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Not affected", "package_name" : "go-toolset:rhel8/golang", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat OpenShift Container Platform 3.10", "fix_state" : "Fix deferred", "package_name" : "atomic-openshift", "cpe" : "cpe:/a:redhat:openshift:3.10", "impact" : "moderate" }, { "product_name" : "Red Hat OpenShift Container Platform 3.11", "fix_state" : "Not affected", "package_name" : "atomic-openshift", "cpe" : "cpe:/a:redhat:openshift:3.11", "impact" : "moderate" }, { "product_name" : "Red Hat OpenShift Container Platform 3.7", "fix_state" : "Out of support scope", "package_name" : "atomic-openshift", "cpe" : "cpe:/a:redhat:openshift:3.7", "impact" : "moderate" }, { "product_name" : "Red Hat OpenShift Container Platform 3.9", "fix_state" : "Fix deferred", "package_name" : "atomic-openshift", "cpe" : "cpe:/a:redhat:openshift:3.9", "impact" : "moderate" }, { "product_name" : "Red Hat OpenShift Container Platform 4", "fix_state" : "Not affected", "package_name" : "openshift", "cpe" : "cpe:/a:redhat:openshift:4", "impact" : "moderate" }, { "product_name" : "Red Hat OpenStack Platform 8 (Liberty) Operational Tools", "fix_state" : "Not affected", "package_name" : "golang", "cpe" : "cpe:/a:redhat:openstack-optools:8" }, { "product_name" : "Red Hat OpenStack Platform 9 (Mitaka) Operational Tools", "fix_state" : "Not affected", "package_name" : "golang", "cpe" : "cpe:/a:redhat:openstack-optools:9" }, { "product_name" : "Red Hat Storage 3", "fix_state" : "Will not fix", "package_name" : "golang", "cpe" : "cpe:/a:redhat:storage:3" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2018-16875\nhttps://nvd.nist.gov/vuln/detail/CVE-2018-16875\nhttps://apisecurity.io/mutual-tls-authentication-vulnerability-in-go-cve-2018-16875/\nhttps://groups.google.com/forum/?pli=1#!topic/golang-announce/Kw31K8G7Fi0" ], "name" : "CVE-2018-16875", "csaw" : false }