CVE-2019-6486

Impact:
Moderate
Public Date:
2019-01-24
CWE:
CWE-20
Bugzilla:
1668972: CVE-2019-6486 golang: crypto/elliptic implementations of P-521 and P-384 elliptic curves allow for denial of service

The MITRE CVE dictionary describes this issue as:

Go before 1.10.8 and 1.11.x before 1.11.5 mishandles P-521 and P-384 elliptic curves, which allows attackers to cause a denial of service (CPU consumption) or possibly conduct ECDH private key recovery attacks.

Find out more about CVE-2019-6486 from the MITRE CVE dictionary dictionary and NIST NVD.

CVSS v3 metrics

NOTE: The following CVSS v3 metrics and score provided are preliminary and subject to review.

CVSS3 Base Score 7.5
CVSS3 Base Metrics CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector Network
Attack Complexity Low
Privileges Required None
User Interaction None
Scope Unchanged
Confidentiality None
Integrity Impact None
Availability Impact High

Affected Packages State

Platform Package State
Red Hat OpenStack Platform Operational Tools 9 golang Affected
Red Hat OpenShift Enterprise 3.2 Release Out of support scope
Red Hat OpenShift Container Platform 4.1 Release Under investigation
Red Hat OpenShift Container Platform 3.9 Release Under investigation
Red Hat OpenShift Container Platform 3.7 Release Under investigation
Red Hat OpenShift Container Platform 3.6 Release Under investigation
Red Hat OpenShift Container Platform 3.5 Release Out of support scope
Red Hat OpenShift Container Platform 3.4 Release Out of support scope
Red Hat OpenShift Container Platform 3.3 Release Out of support scope
Red Hat OpenShift Container Platform 3.11 Release Under investigation
Red Hat OpenShift Container Platform 3.10 Release Under investigation
Red Hat Gluster Storage 3 golang Affected
Red Hat Enterprise Linux OpenStack Platform 8.0 Operational Tools for RHEL 7 golang Affected
Red Hat Enterprise Linux 8 go-toolset:rhel8/golang Affected
Red Hat Enterprise Linux 7 golang Not affected
Red Hat Ceph Storage 3 golang Affected
Red Hat Ceph Storage 2 golang Affected

External References

Last Modified

CVE description copyright © 2017, The MITRE Corporation