CVE-2018-16875 - OpenCVE

The crypto/x509 package of Go before 1.10.6 and 1.11.x before 1.11.3 does not limit the amount of work performed for each chain verification, which might allow attackers to craft pathological inputs leading to a CPU denial of service. Go TLS servers accepting client certificates and TLS clients are affected.

No CVSS v3.1

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact None

Integrity Impact None

Availability Impact Complete

AV:N/AC:L/Au:N/C:N/I:N/A:C

Vendors & Products
CPE Configurations

Vendors	Products
Golang	Go
Opensuse	Leap

Configuration 1 [-]

OR	cpe:2.3:a:golang:go::::::::
	cpe:2.3:a:golang:go::::::::

Configuration 2 [-]

cpe:2.3:o:opensuse:leap:42.3:*:*:*:*:*:*:*

References

Link	Resource
http://lists.opensuse.org/opensuse-security-announce/2019-03/msg00044.html	Third Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00060.html
http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00011.html
http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00015.html
http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00010.html
http://www.securityfocus.com/bid/106230	Third Party Advisory VDB Entry
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-16875	Issue Tracking Third Party Advisory
https://groups.google.com/forum/?pli=1#%21topic/golang-announce/Kw31K8G7Fi0
https://security.gentoo.org/glsa/201812-09	Mitigation Third Party Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: redhat

Published: 2018-12-14T14:00:00

Updated: 2019-07-14T11:06:00

Reserved: 2018-09-11T00:00:00

Link: CVE-2018-16875

JSON object: View

NVD Information

Status : Modified

Published: 2018-12-14T14:29:00.523

Modified: 2023-11-07T02:53:57.207

Link: CVE-2018-16875

JSON object: View

Redhat Information

No data.

CWE

{"containers": {"cna": {"affected": [{"product": "golang", "vendor": "[UNKNOWN]", "versions": [{"status": "affected", "version": "1.10.6"}, {"status": "affected", "version": "1.11.3"}]}], "datePublic": "2018-12-13T00:00:00", "descriptions": [{"lang": "en", "value": "The crypto/x509 package of Go before 1.10.6 and 1.11.x before 1.11.3 does not limit the amount of work performed for each chain verification, which might allow attackers to craft pathological inputs leading to a CPU denial of service. Go TLS servers accepting client certificates and TLS clients are affected."}], "metrics": [{"cvssV3_0": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 5.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.0"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-20", "description": "CWE-20", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2019-07-14T11:06:00", "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat"}, "references": [{"name": "106230", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/106230"}, {"name": "GLSA-201812-09", "tags": ["vendor-advisory", "x_refsource_GENTOO"], "url": "https://security.gentoo.org/glsa/201812-09"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-16875"}, {"tags": ["x_refsource_MISC"], "url": "https://groups.google.com/forum/?pli=1#%21topic/golang-announce/Kw31K8G7Fi0"}, {"name": "openSUSE-SU-2019:1079", "tags": ["vendor-advisory", "x_refsource_SUSE"], "url": "http://lists.opensuse.org/opensuse-security-announce/2019-03/msg00044.html"}, {"name": "openSUSE-SU-2019:1444", "tags": ["vendor-advisory", "x_refsource_SUSE"], "url": "http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00060.html"}, {"name": "openSUSE-SU-2019:1499", "tags": ["vendor-advisory", "x_refsource_SUSE"], "url": "http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00011.html"}, {"name": "openSUSE-SU-2019:1506", "tags": ["vendor-advisory", "x_refsource_SUSE"], "url": "http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00015.html"}, {"name": "openSUSE-SU-2019:1703", "tags": ["vendor-advisory", "x_refsource_SUSE"], "url": "http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00010.html"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "secalert@redhat.com", "ID": "CVE-2018-16875", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "golang", "version": {"version_data": [{"version_value": "1.10.6"}, {"version_value": "1.11.3"}]}}]}, "vendor_name": "[UNKNOWN]"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "The crypto/x509 package of Go before 1.10.6 and 1.11.x before 1.11.3 does not limit the amount of work performed for each chain verification, which might allow attackers to craft pathological inputs leading to a CPU denial of service. Go TLS servers accepting client certificates and TLS clients are affected."}]}, "impact": {"cvss": [[{"vectorString": "5.9/CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.0"}]]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-20"}]}]}, "references": {"reference_data": [{"name": "106230", "refsource": "BID", "url": "http://www.securityfocus.com/bid/106230"}, {"name": "GLSA-201812-09", "refsource": "GENTOO", "url": "https://security.gentoo.org/glsa/201812-09"}, {"name": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-16875", "refsource": "CONFIRM", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-16875"}, {"name": "https://groups.google.com/forum/?pli=1#!topic/golang-announce/Kw31K8G7Fi0", "refsource": "MISC", "url": "https://groups.google.com/forum/?pli=1#!topic/golang-announce/Kw31K8G7Fi0"}, {"name": "openSUSE-SU-2019:1079", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-security-announce/2019-03/msg00044.html"}, {"name": "openSUSE-SU-2019:1444", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00060.html"}, {"name": "openSUSE-SU-2019:1499", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00011.html"}, {"name": "openSUSE-SU-2019:1506", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00015.html"}, {"name": "openSUSE-SU-2019:1703", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00010.html"}]}}}}, "cveMetadata": {"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "assignerShortName": "redhat", "cveId": "CVE-2018-16875", "datePublished": "2018-12-14T14:00:00", "dateReserved": "2018-09-11T00:00:00", "dateUpdated": "2019-07-14T11:06:00", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:golang:go:*:*:*:*:*:*:*:*", "matchCriteriaId": "49A979C3-1002-477D-9874-FD5E0D1681D4", "versionEndExcluding": "1.10.6", "vulnerable": true}, {"criteria": "cpe:2.3:a:golang:go:*:*:*:*:*:*:*:*", "matchCriteriaId": "7F67C474-BD21-4A3E-9F35-3D36BB6F09F4", "versionEndExcluding": "1.11.3", "versionStartIncluding": "1.11.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:opensuse:leap:42.3:*:*:*:*:*:*:*", "matchCriteriaId": "5F65DAB0-3DAD-49FF-BC73-3581CC3D5BF3", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "The crypto/x509 package of Go before 1.10.6 and 1.11.x before 1.11.3 does not limit the amount of work performed for each chain verification, which might allow attackers to craft pathological inputs leading to a CPU denial of service. Go TLS servers accepting client certificates and TLS clients are affected."}, {"lang": "es", "value": "El paquete crypto/x509 de Go, en versiones anteriores a la 1.10.6 y versiones 1.11.x anteriores a la 1.11.3,no limita la cantidad de trabajo realizado para cada verificaci\u00f3n de cadenas, lo que podr\u00eda permitir que los atacantes manipulen entradas patol\u00f3gicas que conducen a la denegaci\u00f3n de servicio (DoS) de la CPU. Los servidores TLS de Go que aceptan certificados de clientes y clientes TLS se han visto afectados."}], "id": "CVE-2018-16875", "lastModified": "2023-11-07T02:53:57.207", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 7.8, "confidentialityImpact": "NONE", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 6.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.0"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 5.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 3.6, "source": "secalert@redhat.com", "type": "Secondary"}]}, "published": "2018-12-14T14:29:00.523", "references": [{"source": "secalert@redhat.com", "tags": ["Third Party Advisory"], "url": "http://lists.opensuse.org/opensuse-security-announce/2019-03/msg00044.html"}, {"source": "secalert@redhat.com", "url": "http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00060.html"}, {"source": "secalert@redhat.com", "url": "http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00011.html"}, {"source": "secalert@redhat.com", "url": "http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00015.html"}, {"source": "secalert@redhat.com", "url": "http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00010.html"}, {"source": "secalert@redhat.com", "tags": ["Third Party Advisory", "VDB Entry"], "url": "http://www.securityfocus.com/bid/106230"}, {"source": "secalert@redhat.com", "tags": ["Issue Tracking", "Third Party Advisory"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-16875"}, {"source": "secalert@redhat.com", "url": "https://groups.google.com/forum/?pli=1#%21topic/golang-announce/Kw31K8G7Fi0"}, {"source": "secalert@redhat.com", "tags": ["Mitigation", "Third Party Advisory"], "url": "https://security.gentoo.org/glsa/201812-09"}], "sourceIdentifier": "secalert@redhat.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-295"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-20"}], "source": "secalert@redhat.com", "type": "Secondary"}]}