CVE-2022-27191
First published: Tue Mar 15 2022(Updated: )
The golang.org/x/crypto/ssh package before 0.0.0-20220314234659-1baeb1ce4c0b for Go allows an attacker to crash a server in certain circumstances involving AddHostKey.
Credit: cve@mitre.org cve@mitre.org cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Golang Ssh | <0.0.0-20220314234659-1baeb1ce4c0b | |
| Fedoraproject Extra Packages For Enterprise Linux | =8.0 | |
| Fedoraproject Fedora | =34 | |
| Fedoraproject Fedora | =35 | |
| Fedoraproject Fedora | =36 | |
| Redhat Advanced Cluster Management For Kubernetes | =2.0 | |
| Redhat Enterprise Linux | =7.0 | |
| Redhat Enterprise Linux | =8.0 | |
| go/golang.org/x/crypto | <0.0.0-20220314234659-1baeb1ce4c0b | 0.0.0-20220314234659-1baeb1ce4c0b |
| redhat/openshift-serverless-clients | <0:1.5.0-3.el8 | 0:1.5.0-3.el8 |
| redhat/podman | <2:4.2.0-3.el9 | 2:4.2.0-3.el9 |
| redhat/buildah | <1:1.27.0-2.el9 | 1:1.27.0-2.el9 |
| redhat/cri-o | <0:1.24.1-11.rhaos4.11.gitb0d2ef3.el8 | 0:1.24.1-11.rhaos4.11.gitb0d2ef3.el8 |
| redhat/openshift-clients | <0:4.13.0-202305291355.p0.g1024efc.assembly.stream.el8 | 0:4.13.0-202305291355.p0.g1024efc.assembly.stream.el8 |
| redhat/kubevirt | <0:4.11.0-643.el7 | 0:4.11.0-643.el7 |
| redhat/kubevirt | <0:4.11.0-643.el8 | 0:4.11.0-643.el8 |
| redhat/golang.org/x/crypto/ssh v0.0.0-20220315160706 | <3147 | 3147 |
| IBM Cloud Pak for Security | <=1.10.0.0 - 1.10.11.0 | |
| IBM QRadar Suite Software | <=1.10.12.0 - 1.10.16.0 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://nvd.nist.gov/vuln/detail/CVE-2022-27191
- https://groups.google.com/g/golang-announce
- https://groups.google.com/g/golang-announce/c/-cp44ypCT5s
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HHGBEGJ54DZZGTXFUQNS7ZIG3E624YAF/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QTFOIDHQRGNI4P6LYN6ILH5G443RYYKB/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YHYRQB7TRMHDB3NEHW5XBRG7PPMUTPGV/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZQNPPQWSTP2IX7SHE6TS4SP4EVMI5EZK/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/J5WPM42UR6XIBQNQPNQHM32X7S4LJTRX/
- https://security.netapp.com/advisory/ntap-20220429-0002/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EZ3S7LB65N54HXXBCB67P4TTOHTNPP5O/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZFUNHFHQVJSADNH7EZ3B53CYDZVEEPBP/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DLUJZV3HBP56ADXU6QH2V7RNYUPMVBXQ/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZY2SLWOQR4ZURQ7UBRZ7JIX6H6F5JHJR/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Z55VUVGO7E5PJFXIOVAY373NZRHBNCI5/
- https://raw.githubusercontent.com/golang/vulndb/df2d3d326300e2ae768f00351ffa96cc2c56cf54/reports/GO-2021-0356.yaml
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RQXU752ALW53OJAF5MG3WMR5CCZVLWW6/
- https://go.dev/cl/392355
- https://go.googlesource.com/crypto/+/1baeb1ce4c0b006eff0f294c47cb7617598dfb3d
- https://pkg.go.dev/vuln/GO-2021-0356
- https://github.com/advisories/GHSA-8c26-wmh5-6g9v (Advisory)
- https://exchange.xforce.ibmcloud.com/vulnerabilities/222162
- https://www.ibm.com/support/pages/node/7080058 (Advisory)
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2074252
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2074253
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2074254
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2074255
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2074256
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2074257
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2074258
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2074259
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2074260
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2074261
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2074248
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2074249
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2074262
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2074263
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2074264
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2074265
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2074266
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2074267
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2074250
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2074251
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2074268
- https://access.redhat.com/errata/RHSA-2022:1476
- https://access.redhat.com/errata/RHSA-2022:4956
- https://access.redhat.com/errata/RHSA-2022:5068
- https://access.redhat.com/errata/RHSA-2022:5069
- https://access.redhat.com/errata/RHSA-2022:6347
- https://access.redhat.com/errata/RHSA-2022:6527
- https://access.redhat.com/errata/RHSA-2022:6526
- https://access.redhat.com/errata/RHSA-2022:7457
- https://access.redhat.com/errata/RHSA-2022:7469
- https://access.redhat.com/errata/RHSA-2022:7954
- https://access.redhat.com/errata/RHSA-2022:8008
- https://access.redhat.com/errata/RHSA-2022:8634
- https://access.redhat.com/errata/RHSA-2022:8932
- https://access.redhat.com/errata/RHSA-2022:8938
- https://access.redhat.com/errata/RHSA-2022:8893
- https://access.redhat.com/errata/RHSA-2022:9107
- https://access.redhat.com/errata/RHSA-2022:7401
- https://access.redhat.com/errata/RHSA-2022:9096
- https://access.redhat.com/security/cve/cve-2022-27191
- https://access.redhat.com/errata/RHSA-2023:1326
- https://access.redhat.com/errata/RHSA-2023:3366
- https://access.redhat.com/errata/RHSA-2023:3943
- https://access.redhat.com/errata/RHSA-2023:4488
- https://bugzilla.redhat.com/show_bug.cgi?id=2064702
- https://www.cve.org/CVERecord?id=CVE-2022-27191 https://nvd.nist.gov/vuln/detail/CVE-2022-27191 https://groups.google.com/g/golang-announce/c/-cp44ypCT5s/m/wmegxkLiAQAJ
Parent vulnerabilities
(Appears in the following advisories)
- IBM-7080058
- RHSA-2022:8634
- RHSA-2022:8932
- RHSA-2022:4956
- RHSA-2022:6347
- RHSA-2022:7457
- RHSA-2022:7469
- RHSA-2022:7954
- RHSA-2022:8008
- RHSA-2022:5068
- RHSA-2022:5069
- RHSA-2022:8893
- RHSA-2022:9107
- RHSA-2023:4488
- RHSA-2022:7401
- RHSA-2022:9096
- RHSA-2023:1326
- RHSA-2023:3366
- RHSA-2023:3943
- RHSA-2022:6527
- RHSA-2022:6526
- RHSA-2022:8938
Frequently Asked Questions
What is CVE-2022-27191?
CVE-2022-27191 is a vulnerability in the golang.org/x/crypto/ssh package that allows an attacker to crash a server by failing authentication with RSA keys.
What is the severity of CVE-2022-27191?
CVE-2022-27191 has a severity level of high.
How does CVE-2022-27191 affect golang.org/x/crypto/ssh?
CVE-2022-27191 causes a client to fail authentication with RSA keys to servers that reject SHA-2 signature algorithms.
How can I fix CVE-2022-27191?
To fix CVE-2022-27191, upgrade to golang.org/x/crypto/ssh version 0.0.0-20220314234659-1baeb1ce4c0b or later.
Are there any references for CVE-2022-27191?
Yes, you can find references for CVE-2022-27191 at the following links: [link1], [link2], [link3].
- agent/author
- agent/description
- agent/event
- agent/first-publish-date
- agent/last-modified-date
- agent/references
- agent/severity
- agent/softwarecombine
- agent/tags
- agent/type
- agent/weakness
- collector/github-advisory
- alias/GHSA-8c26-wmh5-6g9v
- alias/CVE-2022-27191
- collector/github-advisory-latest
- collector/ibm-support
- collector/nvd-api
- collector/nvd-cve
- collector/nvd-index
- collector/redhat-bugzilla
- source/Red Hat
- agent/software-canonical-lookup
- collector/redhat-cve
- package-manager/go
- vendor/ibm
- canonical/ibm cloud pak for security
- version/ibm cloud pak for security/1.10.0.0 - 1.10.11.0
- canonical/ibm qradar suite software
- version/ibm qradar suite software/1.10.12.0 - 1.10.16.0
- vendor/golang
- canonical/golang ssh
- vendor/fedoraproject
- canonical/fedoraproject extra packages for enterprise linux
- version/fedoraproject extra packages for enterprise linux/8.0
- canonical/fedoraproject fedora
- version/fedoraproject fedora/34
- version/fedoraproject fedora/35
- version/fedoraproject fedora/36
- vendor/redhat
- canonical/redhat advanced cluster management for kubernetes
- version/redhat advanced cluster management for kubernetes/2.0
- canonical/redhat enterprise linux
- version/redhat enterprise linux/7.0
- version/redhat enterprise linux/8.0
- package-manager/redhat