1208271 – (CVE-2022-41724) VUL-0: TRACKERBUG: CVE-2022-41724: go1.19,go1.20: crypto/tls: large handshake records may cause panics

Bug 1208271 (CVE-2022-41724) - VUL-0: TRACKERBUG: CVE-2022-41724: go1.19,go1.20: crypto/tls: large handshake records may cause panics

Summary: VUL-0: TRACKERBUG: CVE-2022-41724: go1.19,go1.20: crypto/tls: large handshake...

Status:	RESOLVED FIXED

Alias:	CVE-2022-41724

Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents (show other bugs)
Version:	unspecified
Hardware:	Other Other

Priority:	P3 - Medium Severity: Normal
Target Milestone:	---
Assignee:	Security Team bot
QA Contact:	Security Team bot

URL:	https://smash.suse.de/issue/357251/
Whiteboard:	CVSSv3.1:SUSE:CVE-2022-41724:7.5:(AV:...
Keywords:

Depends on:
Blocks:

Clone This Bug

Reported:	2023-02-15 05:41 UTC by Jeff Kowalczyk
Modified:	2024-06-11 10:13 UTC (History)
CC List:	5 users (show)

See Also:
Found By:	---
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Jeff Kowalczyk 2023-02-15 05:41:03 UTC

Both clients and servers may send large TLS handshake records which cause servers and clients, respectively, to panic when attempting to construct responses.

This affects all TLS 1.3 clients, TLS 1.2 clients which explicitly enable session resumption (by setting Config.ClientSessionCache to a non-nil value), and TLS 1.3 servers which request client certificates (by setting Config.ClientAuth >= RequestClientCert).

Thanks to Marten Seemann for reporting this issue.

This is CVE-2022-41724 and Go issue https://go.dev/issue/58001.

Comment 1 Thomas Leroy 2023-02-15 10:45:54 UTC

Thanks for the report Jeff.

Strangely, I can't find any packages embedding the crypto/tls package

Comment 2 Marcus Meissner 2023-02-15 10:53:38 UTC

i would guess it is in the go compiler itself?

Comment 3 Thomas Leroy 2023-02-15 11:18:43 UTC

(In reply to Marcus Meissner from comment #2)
> i would guess it is in the go compiler itself?
 
Maybe, but that's strange, I think crypto/tls is a pretty standard library. My tool is probably missing something

Comment 4 Thomas Leroy 2023-02-15 11:55:22 UTC

After checking, crypto/tls is indeed not embedded in our packages. It seems that it's only used in Go to build other stuff. So fixing go1.X should be enough

Comment 5 OBSbugzilla Bot 2023-02-16 08:25:08 UTC

This is an autogenerated message for OBS integration:
This bug (1208271) was mentioned in
https://build.opensuse.org/request/show/1066111 Factory / go1.19

Comment 8 Maintenance Automation 2023-03-14 20:30:05 UTC

SUSE-SU-2023:0735-1: An update that solves five vulnerabilities, contains one feature and has one fix can now be installed.

Category: security (important)
Bug References: 1206346, 1208269, 1208270, 1208271, 1208272, 1209030
CVE References: CVE-2022-41722, CVE-2022-41723, CVE-2022-41724, CVE-2022-41725, CVE-2023-24532
Jira References: PED-1962
Sources used:
openSUSE Leap 15.4 (src): go1.20-1.20.2-150000.1.5.1
Development Tools Module 15-SP4 (src): go1.20-1.20.2-150000.1.5.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 9 Maintenance Automation 2023-03-14 20:30:13 UTC

SUSE-SU-2023:0733-1: An update that solves five vulnerabilities and has one fix can now be installed.

Category: security (important)
Bug References: 1200441, 1208269, 1208270, 1208271, 1208272, 1209030
CVE References: CVE-2022-41722, CVE-2022-41723, CVE-2022-41724, CVE-2022-41725, CVE-2023-24532
Sources used:
openSUSE Leap 15.4 (src): go1.19-1.19.7-150000.1.23.1
Development Tools Module 15-SP4 (src): go1.19-1.19.7-150000.1.23.1
SUSE Linux Enterprise High Performance Computing ESPOS 15 SP3 (src): go1.19-1.19.7-150000.1.23.1
SUSE Linux Enterprise High Performance Computing LTSS 15 SP3 (src): go1.19-1.19.7-150000.1.23.1
SUSE Linux Enterprise Real Time 15 SP3 (src): go1.19-1.19.7-150000.1.23.1
SUSE Linux Enterprise Server 15 SP3 LTSS 15-SP3 (src): go1.19-1.19.7-150000.1.23.1
SUSE Linux Enterprise Server for SAP Applications 15 SP3 (src): go1.19-1.19.7-150000.1.23.1
SUSE Enterprise Storage 7.1 (src): go1.19-1.19.7-150000.1.23.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 10 OBSbugzilla Bot 2023-03-17 13:45:09 UTC

This is an autogenerated message for OBS integration:
This bug (1208271) was mentioned in
https://build.opensuse.org/request/show/1072629 Factory / go1.18

Comment 12 Maintenance Automation 2023-03-22 12:30:06 UTC

SUSE-SU-2023:0869-1: An update that solves three vulnerabilities and has one fix can now be installed.

Category: security (important)
Bug References: 1208270, 1208271, 1208272, 1208491
CVE References: CVE-2022-41723, CVE-2022-41724, CVE-2022-41725
Sources used:
openSUSE Leap 15.4 (src): go1.18-1.18.10-150000.1.46.1
Development Tools Module 15-SP4 (src): go1.18-1.18.10-150000.1.46.1
SUSE Linux Enterprise High Performance Computing ESPOS 15 SP3 (src): go1.18-1.18.10-150000.1.46.1
SUSE Linux Enterprise High Performance Computing LTSS 15 SP3 (src): go1.18-1.18.10-150000.1.46.1
SUSE Linux Enterprise Real Time 15 SP3 (src): go1.18-1.18.10-150000.1.46.1
SUSE Linux Enterprise Server 15 SP3 LTSS 15-SP3 (src): go1.18-1.18.10-150000.1.46.1
SUSE Linux Enterprise Server for SAP Applications 15 SP3 (src): go1.18-1.18.10-150000.1.46.1
SUSE Enterprise Storage 7.1 (src): go1.18-1.18.10-150000.1.46.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 13 Maintenance Automation 2023-03-22 16:30:04 UTC

SUSE-SU-2023:0871-1: An update that solves five vulnerabilities and has one fix can now be installed.

Category: security (important)
Bug References: 1200441, 1206134, 1208270, 1208271, 1208272, 1209030
CVE References: CVE-2022-41720, CVE-2022-41723, CVE-2022-41724, CVE-2022-41725, CVE-2023-24532
Sources used:
Containers Module 15-SP4 (src): container-suseconnect-2.4.0-150000.4.24.1
SUSE Linux Enterprise High Performance Computing 15 SP1 LTSS 15-SP1 (src): container-suseconnect-2.4.0-150000.4.24.1
SUSE Linux Enterprise High Performance Computing 15 SP2 LTSS 15-SP2 (src): container-suseconnect-2.4.0-150000.4.24.1
SUSE Linux Enterprise High Performance Computing ESPOS 15 SP3 (src): container-suseconnect-2.4.0-150000.4.24.1
SUSE Linux Enterprise High Performance Computing LTSS 15 SP3 (src): container-suseconnect-2.4.0-150000.4.24.1
SUSE Linux Enterprise Server 15 SP1 LTSS 15-SP1 (src): container-suseconnect-2.4.0-150000.4.24.1
SUSE Linux Enterprise Server 15 SP2 LTSS 15-SP2 (src): container-suseconnect-2.4.0-150000.4.24.1
SUSE Linux Enterprise Server 15 SP3 LTSS 15-SP3 (src): container-suseconnect-2.4.0-150000.4.24.1
SUSE Linux Enterprise Server for SAP Applications 15 SP1 (src): container-suseconnect-2.4.0-150000.4.24.1
SUSE Linux Enterprise Server for SAP Applications 15 SP2 (src): container-suseconnect-2.4.0-150000.4.24.1
SUSE Linux Enterprise Server for SAP Applications 15 SP3 (src): container-suseconnect-2.4.0-150000.4.24.1
SUSE Enterprise Storage 7.1 (src): container-suseconnect-2.4.0-150000.4.24.1
SUSE Enterprise Storage 7 (src): container-suseconnect-2.4.0-150000.4.24.1
SUSE CaaS Platform 4.0 (src): container-suseconnect-2.4.0-150000.4.24.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 15 Maintenance Automation 2023-05-30 08:30:07 UTC

SUSE-SU-2023:2312-1: An update that solves 28 vulnerabilities, contains one feature and has three fixes can now be installed.

Category: security (important)
Bug References: 1183043, 1193742, 1198423, 1198424, 1198427, 1199413, 1200134, 1200135, 1200136, 1200137, 1201434, 1201436, 1201437, 1201440, 1201443, 1201444, 1201445, 1201447, 1201448, 1202035, 1203185, 1204023, 1204024, 1204025, 1204941, 1206134, 1206135, 1208270, 1208271, 1208272, 1208491
CVE References: CVE-2022-1705, CVE-2022-1962, CVE-2022-24675, CVE-2022-27536, CVE-2022-27664, CVE-2022-28131, CVE-2022-28327, CVE-2022-2879, CVE-2022-2880, CVE-2022-29526, CVE-2022-29804, CVE-2022-30580, CVE-2022-30629, CVE-2022-30630, CVE-2022-30631, CVE-2022-30632, CVE-2022-30633, CVE-2022-30634, CVE-2022-30635, CVE-2022-32148, CVE-2022-32189, CVE-2022-41715, CVE-2022-41716, CVE-2022-41717, CVE-2022-41720, CVE-2022-41723, CVE-2022-41724, CVE-2022-41725
Jira References: PED-1962
Sources used:
openSUSE Leap 15.4 (src): go1.18-openssl-1.18.10.1-150000.1.9.1
openSUSE Leap 15.5 (src): go1.18-openssl-1.18.10.1-150000.1.9.1
Development Tools Module 15-SP4 (src): go1.18-openssl-1.18.10.1-150000.1.9.1
SUSE Linux Enterprise High Performance Computing ESPOS 15 SP3 (src): go1.18-openssl-1.18.10.1-150000.1.9.1
SUSE Linux Enterprise High Performance Computing LTSS 15 SP3 (src): go1.18-openssl-1.18.10.1-150000.1.9.1
SUSE Linux Enterprise Real Time 15 SP3 (src): go1.18-openssl-1.18.10.1-150000.1.9.1
SUSE Linux Enterprise Server 15 SP3 LTSS 15-SP3 (src): go1.18-openssl-1.18.10.1-150000.1.9.1
SUSE Linux Enterprise Server for SAP Applications 15 SP3 (src): go1.18-openssl-1.18.10.1-150000.1.9.1
SUSE Enterprise Storage 7.1 (src): go1.18-openssl-1.18.10.1-150000.1.9.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 20 Robert Frohl 2024-05-06 08:14:29 UTC

done, closing

Comment 21 Andrea Mattiazzo 2024-06-11 10:13:08 UTC

All done, closing (for real :) )