Vulnerability Name: | CVE-2021-34558 (CCN-205578) | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Assigned: | 2021-07-12 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Published: | 2021-07-12 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Updated: | 2022-08-04 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Summary: | The crypto/tls package of Go through 1.16.5 does not properly assert that the type of public key in an X.509 certificate matches the expected type when doing a RSA based key exchange, allowing a malicious TLS server to cause a TLS client to panic. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
CVSS v3 Severity: | 6.5 Medium (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H) 5.7 Medium (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C)
5.7 Medium (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C)
5.7 Medium (REDHAT Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C)
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
CVSS v2 Severity: | 2.6 Low (CVSS v2 Vector: AV:N/AC:H/Au:N/C:N/I:N/A:P)
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Vulnerability Type: | CWE-295 CWE-20 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Vulnerability Consequences: | Denial of Service | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
References: | Source: MITRE Type: CNA CVE-2021-34558 Source: XF Type: UNKNOWN go-cve202134558-dos(205578) Source: CCN Type: go GIT Repository crypto/tls: clients can panic when provided a certificate of the wrong type for the negotiated parameters (CVE-2021-34558) #47143 Source: MISC Type: Release Notes, Vendor Advisory https://golang.org/doc/devel/release#go1.16.minor Source: MISC Type: Mailing List, Third Party Advisory https://groups.google.com/g/golang-announce Source: MISC Type: Mailing List, Release Notes, Third Party Advisory https://groups.google.com/g/golang-announce/c/n9FxMelZGAQ Source: CCN Type: Google Groups Web site Go 1.16.6 and Go 1.15.14 are released Source: FEDORA Type: Mailing List, Third Party Advisory FEDORA-2021-1bfb61f77c Source: FEDORA Type: Mailing List, Third Party Advisory FEDORA-2021-07e4d20196 Source: FEDORA Type: Mailing List, Third Party Advisory FEDORA-2021-ffa749f7f7 Source: FEDORA Type: Mailing List, Third Party Advisory FEDORA-2021-25c0011e78 Source: FEDORA Type: Mailing List, Third Party Advisory FEDORA-2021-54f88bebd4 Source: FEDORA Type: Mailing List, Third Party Advisory FEDORA-2021-3a55403080 Source: FEDORA Type: Mailing List, Third Party Advisory FEDORA-2021-6ac9b98f9e Source: FEDORA Type: Mailing List, Third Party Advisory FEDORA-2021-c35235c250 Source: FEDORA Type: Mailing List, Third Party Advisory FEDORA-2021-47d259d3cf Source: GENTOO Type: Third Party Advisory GLSA-202208-02 Source: CONFIRM Type: Third Party Advisory https://security.netapp.com/advisory/ntap-20210813-0005/ Source: CCN Type: IBM Security Bulletin 6488897 (App Connect Enterprise Certified Container) IBM App Connect Enterprise Certified Container may be vulnerable to Denial of Service via CVE-2021-34558 Source: CCN Type: IBM Security Bulletin 6489851 (Cloud Automation Manager) A security vulnerability in Golang Go affects IBM Cloud Automation Manager Source: CCN Type: IBM Security Bulletin 6492207 (Watson Discovery) IBM Watson Discovery for IBM Cloud Pak for Data affected by vulnerability in Go Source: CCN Type: IBM Security Bulletin 6499711 (Cloud Pak for Integration) Operations Dashboard is vulnerable to multiple Go vulnerabilities Source: CCN Type: IBM Security Bulletin 6501839 (Cloud Pak for Integration) IBM Cloud Pak for Integration is vulnerable to multiple Go vulnerabilities Source: CCN Type: IBM Security Bulletin 6514825 (Cloud Pak for Multicloud Management) A security vulnerability in Golang Go affects IBM Cloud Pak for Multicloud Management Managed Services Source: CCN Type: IBM Security Bulletin 6519392 (Cloud Pak System) Multiple vulnerabilities have been found in Golang Go which is shipped with Cloud Pak System Source: CCN Type: IBM Security Bulletin 6524682 (Spectrum Protect Plus) Vulnerabilities in Redis, OpenSSH, Golang Go, and Apache Kafka may affect IBM Spectrum Protect Plus Container Backup and Restore for Kubernetes and OpenShift Source: CCN Type: IBM Security Bulletin 6525250 (Spectrum Copy Data Management) Vulnerabilities in PostgreSQL, Apache, Golang Go, and Linux Kernel affect IBM Spectrum Copy Data Management Source: CCN Type: IBM Security Bulletin 6536940 (Cloud Pak for Multicloud Management Security Services) Security vulnerabilities in Go affect IBM Cloud Pak for Multicloud Management Hybrid GRC. Source: CCN Type: IBM Security Bulletin 6550866 (Security Guardium) IBM Security Guardium Insights is affected by multiple vulnerabilities Source: CCN Type: IBM Security Bulletin 6565099 (Planning Analytics) IBM Planning Analytics Workspace is affected by security vulnerabilities Source: CCN Type: IBM Security Bulletin 6574411 (Cloud Private) Security Vulnerabilities affect IBM Cloud Private - Golang (CVE-2021-34558) Source: CCN Type: IBM Security Bulletin 6606299 (Cloud Pak for Multicloud Management) IBM Cloud Pak for Multicloud Management Monitoring has multiple vulnerabilities associated with the Go runtime (CVE-2021-29923, CVE-2021-31525, CVE-2021-33194, CVE-2021-33195, CVE-2021-33196, CVE-2021-33197, CVE-2021-33198) Source: MISC Type: Patch, Third Party Advisory https://www.oracle.com/security-alerts/cpujan2022.html Source: CCN Type: Oracle CPUOct2021 Oracle Critical Patch Update Advisory - October 2021 Source: MISC Type: Patch, Third Party Advisory https://www.oracle.com/security-alerts/cpuoct2021.html | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Vulnerable Configuration: | Configuration 1: Configuration 2: Configuration 3: Configuration 4: Configuration RedHat 1: Configuration RedHat 2: Configuration CCN 1: Denotes that component is vulnerable | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Oval Definitions | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
BACK |