Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-3248

CVE-2022-27191 ose-installer-container: golang: crash in a golang.org/x/crypto/ssh server [openshift-4]

    XMLWordPrintable

Details

    • Moderate
    • False
    • Hide

      None

      Show
      None
    • Hide
      Cause: A broken cryptographic algorithm flaw was found in golang.org/x/crypto/ssh.

      Consequence: This issue causes a client to fail authentication with RSA keys to servers that reject signature algorithms based on SHA-2, enabling an attacker to crash the server, resulting in a loss of availability.

      Fix: update golang.org/x/crypto/ssh to v0.0.0-20220315160706-3147a52a75

      Result: flaw is fixed.
      Show
      Cause: A broken cryptographic algorithm flaw was found in golang.org/x/crypto/ssh. Consequence: This issue causes a client to fail authentication with RSA keys to servers that reject signature algorithms based on SHA-2, enabling an attacker to crash the server, resulting in a loss of availability. Fix: update golang.org/x/crypto/ssh to v0.0.0-20220315160706-3147a52a75 Result: flaw is fixed.
    • CVE - Common Vulnerabilities and Exposures

    Description

      Security Tracking Issue

      Do not make this issue public.

      Impact: Moderate
      Reported Date: 16-Mar-2022
      PM Fix/Wontfix Decision By: 04-Dec-2022
      Resolve Bug By: 12-Sep-2022

      In case the dates above are already past, please evaluate this bug in your next prioritization review and make a decision then. Remember to explicitly set CLOSED:WONTFIX if you decide not to fix this bug.

      Please review this tracker and its impact on your product or service, as soon as possible. The trackers are filed WITHOUT in-depth analysis as the vulnerability has a Low or Moderate severity impact on this product or service. For more details, please refer to following confluence page - https://docs.engineering.redhat.com/x/3e_3EQ

      Please see the Security Errata Policy for further details: https://docs.engineering.redhat.com/x/9kKpDw

      Flaw:

      CVE-2022-27191 golang: crash in a golang.org/x/crypto/ssh server
      https://bugzilla.redhat.com/show_bug.cgi?id=2064702

      A potential crash in a golang.org/x/crypto/ssh server under these conditions:

      • The server has been configured by passing a Signer to ServerConfig.AddHostKey.
      • The Signer passed to AddHostKey does not also implement AlgorithmSigner.
      • The Signer passed to AddHostKey does return a key of type “ssh-rsa” from its PublicKey method.

      Attachments

        Issue Links

          is cloned by

          Bug - A problem that impairs or prevents the functions of the product. OCPBUGS-3249 CVE-2022-27191 ose-installer-container: golang: crash in a golang.org/x/crypto/ssh server [openshift-4]

          • Normal - To be worked after urgent and high priorities are resolved. This term is chosen when the severity of an issue is relatively close to the level of effort to fix it. The existence of an easily implemented workaround can also lead to this priority level instead of a higher priority.
          • Closed
          is depended on by

          Bug - A problem that impairs or prevents the functions of the product. OCPBUGS-3249 CVE-2022-27191 ose-installer-container: golang: crash in a golang.org/x/crypto/ssh server [openshift-4]

          • Normal - To be worked after urgent and high priorities are resolved. This term is chosen when the severity of an issue is relatively close to the level of effort to fix it. The existence of an easily implemented workaround can also lead to this priority level instead of a higher priority.
          • Closed
          links to

          Web Link Bug 2074299: update golang.org/x/crypto to address security vulnerabilities

          Web Link Original BZ

          Activity

            People

              Unassigned Unassigned
              rdossant Rafael Fonseca dos Santos
              Gaoyun Pei Gaoyun Pei
              Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: