First published: Tue Feb 28 2023(Updated: )
Large handshake records may cause panics in crypto/tls. Both clients and servers may send large TLS handshake records which cause servers and clients, respectively, to panic when attempting to construct responses. This affects all TLS 1.3 clients, TLS 1.2 clients which explicitly enable session resumption (by setting Config.ClientSessionCache to a non-nil value), and TLS 1.3 servers which request client certificates (by setting Config.ClientAuth >= RequestClientCert).
Credit: security@golang.org security@golang.org
Affected Software | Affected Version | How to fix |
---|---|---|
Golang Go | <1.19.6 | |
Golang Go | =1.20.0 | |
Golang Go | =1.20.0-rc1 | |
Golang Go | =1.20.0-rc2 | |
Golang Go | =1.20.0-rc3 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
The severity of CVE-2022-41724 is high, with a severity value of 7.5.
CVE-2022-41724 affects all TLS 1.3 clients and TLS 1.2 clients which explicitly enable session resumption, causing panics when attempting to construct responses.
CVE-2022-41724 affects servers when large TLS handshake records are sent by clients, causing servers to panic when attempting to construct responses.
Versions 1.19.6 and 1.20.0 of Golang are affected by CVE-2022-41724.
Yes, for Golang versions affected by CVE-2022-41724, upgrading to version 1.19.6 or 1.20.1 will address the vulnerability.