Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.
Bug 2253193 (CVE-2023-45287) - CVE-2023-45287 golang: crypto/tls: Timing Side Channel attack in RSA based TLS key exchanges.
Summary: CVE-2023-45287 golang: crypto/tls: Timing Side Channel attack in RSA based TL...
Keywords:
Status: NEW
Alias: CVE-2023-45287
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Sayan Biswas
QA Contact:
URL:
Whiteboard:
Depends On: 2253201 2253202 2253203 2253204 2253205 2253206 2253207 2253208 2253209 2253210 2253214 2253194 2253195 2253197 2253198 2253199 2253213
Blocks:
TreeView+ depends on / blocked
 
Reported: 2023-12-06 13:50 UTC by Patrick Del Bello
Modified: 2024-06-08 08:28 UTC (History)
122 users (show)

Fixed In Version: golang 1.20
Clone Of:
Environment:
Last Closed:
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2023:7200 0 None None None 2024-02-27 22:47:00 UTC
Red Hat Product Errata RHSA-2023:7201 0 None None None 2024-02-27 22:29:07 UTC
Red Hat Product Errata RHSA-2024:0269 0 None None None 2024-02-28 00:20:20 UTC
Red Hat Product Errata RHSA-2024:0281 0 None None None 2024-03-06 14:40:12 UTC
Red Hat Product Errata RHSA-2024:0748 0 None None None 2024-02-08 18:20:22 UTC
Red Hat Product Errata RHSA-2024:1078 0 None None None 2024-03-05 00:34:40 UTC
Red Hat Product Errata RHSA-2024:1859 0 None None None 2024-04-16 17:26:17 UTC
Red Hat Product Errata RHSA-2024:1901 0 None None None 2024-04-18 07:18:40 UTC
Red Hat Product Errata RHSA-2024:2180 0 None None None 2024-04-30 09:45:35 UTC
Red Hat Product Errata RHSA-2024:2193 0 None None None 2024-04-30 09:46:51 UTC
Red Hat Product Errata RHSA-2024:2239 0 None None None 2024-04-30 09:55:00 UTC
Red Hat Product Errata RHSA-2024:2245 0 None None None 2024-04-30 09:55:42 UTC
Red Hat Product Errata RHSA-2024:2272 0 None None None 2024-04-30 09:58:51 UTC

Description Patrick Del Bello 2023-12-06 13:50:49 UTC
Before Go 1.20, the RSA based TLS key exchanges used the math/big library, which is not constant time. RSA blinding was applied to prevent timing attacks, but analysis shows this may not have been fully effective. In particular it appears as if the removal of PKCS#1 padding may leak timing information, which in turn could be used to recover session key bits. In Go 1.20, the crypto/tls library switched to a fully constant time RSA implementation, which we do not believe exhibits any timing side channels.

https://go.dev/cl/326012/26
https://go.dev/issue/20654
https://groups.google.com/g/golang-announce/c/QMK8IQALDvA
https://people.redhat.com/~hkario/marvin/
https://pkg.go.dev/vuln/GO-2023-2375

Comment 1 Patrick Del Bello 2023-12-06 13:52:00 UTC
Created golang tracking bugs for this issue:

Affects: epel-all [bug 2253194]
Affects: fedora-all [bug 2253195]

Comment 8 Debarshi Ray 2023-12-18 18:27:47 UTC
I see that there are bugs created for toolbox in RHEL 8, but not RHEL 9.  Why is that?  The code is exactly the same in both.

Comment 9 Patrick Del Bello 2023-12-19 13:55:11 UTC
Thanks for highlighting that debarshir. Allow me to check internally.

Comment 22 Vimal Kumar 2024-02-08 16:18:11 UTC
is there any advisory which shows in which exact golang version this CVE is fixed?

Comment 23 errata-xmlrpc 2024-02-08 18:20:16 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2024:0748 https://access.redhat.com/errata/RHSA-2024:0748

Comment 24 errata-xmlrpc 2024-02-27 22:29:02 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.15

Via RHSA-2023:7201 https://access.redhat.com/errata/RHSA-2023:7201

Comment 25 errata-xmlrpc 2024-02-27 22:46:55 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.15

Via RHSA-2023:7200 https://access.redhat.com/errata/RHSA-2023:7200

Comment 26 errata-xmlrpc 2024-02-28 00:20:15 UTC
This issue has been addressed in the following products:

  RODOO-1.1-RHEL-9

Via RHSA-2024:0269 https://access.redhat.com/errata/RHSA-2024:0269

Comment 28 errata-xmlrpc 2024-03-05 00:34:34 UTC
This issue has been addressed in the following products:

  STF-1.5-RHEL-8

Via RHSA-2024:1078 https://access.redhat.com/errata/RHSA-2024:1078

Comment 29 errata-xmlrpc 2024-03-06 14:40:04 UTC
This issue has been addressed in the following products:

  OSSO-1.2-RHEL-9

Via RHSA-2024:0281 https://access.redhat.com/errata/RHSA-2024:0281

Comment 31 errata-xmlrpc 2024-04-16 17:26:11 UTC
This issue has been addressed in the following products:

  OADP-1.3-RHEL-9

Via RHSA-2024:1859 https://access.redhat.com/errata/RHSA-2024:1859

Comment 32 errata-xmlrpc 2024-04-18 07:18:34 UTC
This issue has been addressed in the following products:

  Service Interconnect 1 for RHEL 9

Via RHSA-2024:1901 https://access.redhat.com/errata/RHSA-2024:1901

Comment 33 errata-xmlrpc 2024-04-30 09:45:27 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2024:2180 https://access.redhat.com/errata/RHSA-2024:2180

Comment 34 errata-xmlrpc 2024-04-30 09:46:44 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2024:2193 https://access.redhat.com/errata/RHSA-2024:2193

Comment 35 errata-xmlrpc 2024-04-30 09:54:53 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2024:2239 https://access.redhat.com/errata/RHSA-2024:2239

Comment 36 errata-xmlrpc 2024-04-30 09:55:34 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2024:2245 https://access.redhat.com/errata/RHSA-2024:2245

Comment 37 errata-xmlrpc 2024-04-30 09:58:45 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2024:2272 https://access.redhat.com/errata/RHSA-2024:2272


Note You need to log in before you can comment on or make changes to this bug.