Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-3248

CVE-2022-27191 ose-installer-container: golang: crash in a golang.org/x/crypto/ssh server [openshift-4]

XMLWordPrintable

    • Moderate
    • None
    • False
    • Hide

      None

      Show
      None
    • Hide
      Cause: A broken cryptographic algorithm flaw was found in golang.org/x/crypto/ssh.

      Consequence: This issue causes a client to fail authentication with RSA keys to servers that reject signature algorithms based on SHA-2, enabling an attacker to crash the server, resulting in a loss of availability.

      Fix: update golang.org/x/crypto/ssh to v0.0.0-20220315160706-3147a52a75

      Result: flaw is fixed.
      Show
      Cause: A broken cryptographic algorithm flaw was found in golang.org/x/crypto/ssh. Consequence: This issue causes a client to fail authentication with RSA keys to servers that reject signature algorithms based on SHA-2, enabling an attacker to crash the server, resulting in a loss of availability. Fix: update golang.org/x/crypto/ssh to v0.0.0-20220315160706-3147a52a75 Result: flaw is fixed.
    • CVE - Common Vulnerabilities and Exposures

      Security Tracking Issue

      Do not make this issue public.

      Impact: Moderate
      Reported Date: 16-Mar-2022
      PM Fix/Wontfix Decision By: 04-Dec-2022
      Resolve Bug By: 12-Sep-2022

      In case the dates above are already past, please evaluate this bug in your next prioritization review and make a decision then. Remember to explicitly set CLOSED:WONTFIX if you decide not to fix this bug.

      Please review this tracker and its impact on your product or service, as soon as possible. The trackers are filed WITHOUT in-depth analysis as the vulnerability has a Low or Moderate severity impact on this product or service. For more details, please refer to following confluence page - https://docs.engineering.redhat.com/x/3e_3EQ

      Please see the Security Errata Policy for further details: https://docs.engineering.redhat.com/x/9kKpDw

      Flaw:

      CVE-2022-27191 golang: crash in a golang.org/x/crypto/ssh server
      https://bugzilla.redhat.com/show_bug.cgi?id=2064702

      A potential crash in a golang.org/x/crypto/ssh server under these conditions:

      • The server has been configured by passing a Signer to ServerConfig.AddHostKey.
      • The Signer passed to AddHostKey does not also implement AlgorithmSigner.
      • The Signer passed to AddHostKey does return a key of type “ssh-rsa” from its PublicKey method.

              Unassigned Unassigned
              rdossant Rafael Fonseca dos Santos
              Gaoyun Pei Gaoyun Pei
              Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

                Created:
                Updated:
                Resolved: