CVE-2022-41724: Panic on large handshake records in crypto/tls
First published: Tue Feb 28 2023(Updated: )
Large handshake records may cause panics in crypto/tls. Both clients and servers may send large TLS handshake records which cause servers and clients, respectively, to panic when attempting to construct responses. This affects all TLS 1.3 clients, TLS 1.2 clients which explicitly enable session resumption (by setting Config.ClientSessionCache to a non-nil value), and TLS 1.3 servers which request client certificates (by setting Config.ClientAuth >= RequestClientCert).
Credit: security@golang.org security@golang.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Golang Go | <1.19.6 | |
| Golang Go | =1.20.0 | |
| Golang Go | =1.20.0-rc1 | |
| Golang Go | =1.20.0-rc2 | |
| Golang Go | =1.20.0-rc3 |
Remedy
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://go.dev/issue/58001
- https://go.dev/cl/468125
- https://groups.google.com/g/golang-announce/c/V0aBFqaFs_E
- https://pkg.go.dev/vuln/GO-2023-1570
- https://security.gentoo.org/glsa/202311-09
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2178495
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2178496
- https://access.redhat.com/errata/RHSA-2023:1639
- https://access.redhat.com/errata/RHSA-2023:1817
- https://access.redhat.com/errata/RHSA-2023:2107
- https://access.redhat.com/errata/RHSA-2023:3083
- https://access.redhat.com/errata/RHSA-2023:1326
- https://access.redhat.com/errata/RHSA-2023:1325
- https://access.redhat.com/errata/RHSA-2023:3167
- https://access.redhat.com/errata/RHSA-2023:0584
- https://access.redhat.com/errata/RHSA-2023:3303
- https://access.redhat.com/errata/RHSA-2023:3445
- https://access.redhat.com/errata/RHSA-2023:3450
- https://access.redhat.com/errata/RHSA-2023:3455
- https://access.redhat.com/errata/RHSA-2023:3366
- https://access.redhat.com/security/cve/cve-2022-41724
- https://access.redhat.com/errata/RHSA-2023:3742
- https://access.redhat.com/errata/RHSA-2023:3612
- https://access.redhat.com/errata/RHSA-2023:4003
- https://access.redhat.com/errata/RHSA-2023:4470
- https://access.redhat.com/errata/RHSA-2023:4335
- https://access.redhat.com/errata/RHSA-2023:4627
- https://access.redhat.com/errata/RHSA-2023:5935
- https://access.redhat.com/errata/RHSA-2023:5964
- https://access.redhat.com/errata/RHSA-2023:5976
- https://access.redhat.com/errata/RHSA-2023:6363
- https://access.redhat.com/errata/RHSA-2023:6380
- https://access.redhat.com/errata/RHSA-2023:6402
- https://access.redhat.com/errata/RHSA-2023:6473
- https://access.redhat.com/errata/RHSA-2023:6474
- https://access.redhat.com/errata/RHSA-2023:6817
- https://access.redhat.com/errata/RHSA-2023:6938
- https://access.redhat.com/errata/RHSA-2023:6939
- https://access.redhat.com/errata/RHSA-2023:7672
- https://bugzilla.redhat.com/show_bug.cgi?id=2178492
Frequently Asked Questions
What is the severity of CVE-2022-41724?
The severity of CVE-2022-41724 is high, with a severity value of 7.5.
How does CVE-2022-41724 affect clients?
CVE-2022-41724 affects all TLS 1.3 clients and TLS 1.2 clients which explicitly enable session resumption, causing panics when attempting to construct responses.
How does CVE-2022-41724 affect servers?
CVE-2022-41724 affects servers when large TLS handshake records are sent by clients, causing servers to panic when attempting to construct responses.
Which versions of Golang are affected by CVE-2022-41724?
Versions 1.19.6 and 1.20.0 of Golang are affected by CVE-2022-41724.
Is there a remedy available for CVE-2022-41724?
Yes, for Golang versions affected by CVE-2022-41724, upgrading to version 1.19.6 or 1.20.1 will address the vulnerability.
- agent/author
- agent/description
- agent/event
- agent/first-publish-date
- agent/last-modified-date
- agent/references
- agent/remedy
- agent/severity
- agent/softwarecombine
- agent/tags
- agent/title
- agent/type
- agent/weakness
- collector/mitre-cve
- collector/nvd-api
- collector/nvd-index
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2022-41724
- agent/software-canonical-lookup
- vendor/golang
- canonical/golang go
- version/golang go/1.20.0
- version/golang go/1.20.0-rc1
- version/golang go/1.20.0-rc2
- version/golang go/1.20.0-rc3
- package-manager/redhat