Allele Security Alert
ASA-2018-00076
Identifier(s)
ASA-2018-00076, CVE-2018-16875
Title
CPU denial of service in chain validation
Vendor(s)
The Go Authors
Product(s)
Go
Affected version(s)
Go before 1.11.3 and 1.10.6
Fixed version(s)
Go 1.11.3
Go 1.10.6
Proof of concept
Unknown
Description
The crypto/x509 package does not limit the amount of work performed for each chain verification, which might allow attackers to craft pathological inputs leading to a CPU denial of service. Go TLS servers accepting client certificates and TLS clients verifying certificates are affected.
Technical details
Unknown
Credits
Netflix
Reference(s)
Go security releases 1.11.3 and 1.10.6
https://seclists.org/oss-sec/2018/q4/254
crypto/x509: CPU denial of service in chain validation #29233
https://golang.org/issue/29233
[release-branch.go1.11-security] crypto/x509: limit number of signature checks for each verification
https://github.com/golang/go/commit/df523969435b8945d939c7e2a849b50910ef4c25
[release-branch.go1.10-security] crypto/x509: limit number of signature checks for each verification
https://github.com/golang/go/commit/0a4a37f1f0a36e55d8ae5c34210a79499f9f2a9d
CVE-2018-16875
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16875
CVE-2018-16875
https://nvd.nist.gov/vuln/detail/CVE-2018-16875
If there is any error in this alert or you wish a comprehensive analysis, let us know.
Last modified: February 11, 2019