Vulnerability Name:

CVE-2022-30629 (CCN-229859)

Assigned:2022-06-01
Published:2022-06-01
Updated:2023-03-03
Summary:Non-random values for ticket_age_add in session tickets in crypto/tls before Go 1.17.11 and Go 1.18.3 allow an attacker that can observe TLS handshakes to correlate successive connections by comparing ticket ages during session resumption.
CVSS v3 Severity:3.1 Low (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N)
2.7 Low (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): High
Privileges Required (PR): None
User Interaction (UI): Required
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): Low
Integrity (I): None
Availibility (A): None
7.5 High (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)
6.5 Medium (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): High
Integrity (I): None
Availibility (A): None
3.1 Low (REDHAT CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N)
2.7 Low (REDHAT Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): High
Privileges Required (PR): None
User Interaction (UI): Required
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): Low
Integrity (I): None
Availibility (A): None
CVSS v2 Severity:7.8 High (CCN CVSS v2 Vector: AV:N/AC:L/Au:N/C:C/I:N/A:N)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Athentication (Au): None
Impact Metrics:Confidentiality (C): Complete
Integrity (I): None
Availibility (A): None
Vulnerability Type:CWE-331
Vulnerability Consequences:Obtain Information
References:Source: MITRE
Type: CNA
CVE-2022-30629

Source: XF
Type: UNKNOWN
golang-cve202230629-info-disc(229859)

Source: security@golang.org
Type: Patch
security@golang.org

Source: CCN
Type: Golang Web site
go1.18.3 (released 2022-06-01)

Source: security@golang.org
Type: Exploit, Issue Tracking, Vendor Advisory
security@golang.org

Source: security@golang.org
Type: Mailing List, Patch
security@golang.org

Source: CCN
Type: Golang Web page
[security] Go 1.18.3 and Go 1.17.11 are released

Source: security@golang.org
Type: Mailing List, Vendor Advisory
security@golang.org

Source: security@golang.org
Type: Vendor Advisory
security@golang.org

Source: CCN
Type: IBM Security Bulletin 6611591 (Cloud Pak for Integration)
Platform Navigator and Automation Assets in IBM Cloud Pak for Integration are vulnerable to information disclosure CVE-2022-30629

Source: CCN
Type: IBM Security Bulletin 6611971 (Cloud Pak for Integration)
Operations Dashboard is vulnerable to remote connection exploit by Go CVE-2022-30629

Source: CCN
Type: IBM Security Bulletin 6619905 (Spectrum Copy Data Management)
Vulnerabilities in Golang Go, PostgreSQL, jQuery, and Google Gson may affect IBM Spectrum Copy Data Management

Source: CCN
Type: IBM Security Bulletin 6619915 (Spectrum Protect Plus)
Vulnerabilities in Linux Kernel, OpenSSL, Golang Go, and Zlib may affect IBM Spectrum Protect Plus

Source: CCN
Type: IBM Security Bulletin 6619963 (Spectrum Protect Plus)
Vulnerabilities in Golang Go and MinIO may affect IBM Spectrum Plus Container Backup and Restore for Kubernetes and Red Hat OpenShift (CVE-2022-29804, CVE-2022-30580, CVE-2022-30629, CVE-2022-30634, CVE-2022-35919, CVE-2022-31028)

Source: CCN
Type: IBM Security Bulletin 6620897 (Watson Discovery)
IBM Watson Discovery for IBM Cloud Pak for Data affected by vulnerability in Go

Source: CCN
Type: IBM Security Bulletin 6621115 (Spectrum Protect Server)
Vulnerabilities in IBM Db2, Golang Go, and Logback may affect the IBM Spectrum Protect Server (CVE-2022-30631, CVE-2022-30633, CVE-2022-1705, CVE-2022-22389, CVE-2022-22390, CVE-2021-42550, CVE-2022-30629)

Source: CCN
Type: IBM Security Bulletin 6825557 (Event Streams)
Multiple vulnerabilities in Golang Go affect IBM Event Streams

Source: CCN
Type: IBM Security Bulletin 6831591 (Robotic Process Automation)
Multiple Security Vulnerabilities may affect IBM Robotic Process Automation for Cloud Pak

Source: CCN
Type: IBM Security Bulletin 6837271 (App Connect Enterprise Certified Container)
IBM App Connect Enterprise Certified Container operator and IntegrationServer operands may be vulnerable to loss of confidentiality due to CVE-2022-30629

Source: CCN
Type: IBM Security Bulletin 6909423 (Cloud Pak for Multicloud Management Monitoring)
IBM Cloud Pak for Multicloud Management Monitoring has applied security fixes for its use of Golang Go

Source: CCN
Type: IBM Security Bulletin 6956311 (Cloud Pak for Multicloud Management)
Multiple Vulnerabilities in Multicloud Management Security Services

Source: CCN
Type: IBM Security Bulletin 6958068 (CICS TX Standard)
Multiple vulnerabilities in Go may affect IBM CICS TX Standard

Source: CCN
Type: IBM Security Bulletin 6966300 (Cloud Pak System Software Suite)
IBM Cloud Pak System is vulnerable to multiple vulnerabilities in Golang Go

Source: CCN
Type: IBM Security Bulletin 6966998 (WebSphere Automation)
Multiple vulnerabilities in the mongo-tools utility affect IBM WebSphere Automation

Vulnerable Configuration:Configuration RedHat 1:
  • cpe:/a:redhat:enterprise_linux:8:*:*:*:*:*:*:*
    • Configuration RedHat 2:
  • cpe:/a:redhat:enterprise_linux:8::appstream:*:*:*:*:*
    • Configuration RedHat 3:
  • cpe:/a:redhat:enterprise_linux:9:*:*:*:*:*:*:*
    • Configuration RedHat 4:
  • cpe:/a:redhat:enterprise_linux:9::appstream:*:*:*:*:*

    • Configuration CCN 1:
  • cpe:/a:ibm:spectrum_protect_plus:10.1.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:spectrum_protect_plus:10.1.5:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:event_streams:10.0.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:event_streams:10.1.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:spectrum_protect_plus:10.1.7:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:event_streams:10.2.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:event_streams:10.3.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:event_streams:10.3.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:spectrum_copy_data_management:2.2.0.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:robotic_process_automation:21.0.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:robotic_process_automation:21.0.2:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:app_connect_enterprise_certified_container:4.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:cics_tx:11.1:*:*:*:standard:*:*:*
  • OR cpe:/a:ibm:app_connect_enterprise_certified_container:4.2:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:robotic_process_automation:21.0.3:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:robotic_process_automation:21.0.4:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:app_connect_enterprise_certified_container:5.0:*:*:*:lts:*:*:*
  • OR cpe:/a:ibm:app_connect_enterprise_certified_container:5.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:app_connect_enterprise_certified_container:5.2:*:*:*:*:*:*:*

    • * Denotes that component is vulnerable
    Oval Definitions
    Definition IDClassTitleLast Modified
    oval:com.redhat.rhsa:def:20225775
    P
    		RHSA-2022:5775: go-toolset:rhel8 security and bug fix update (Important)
    2022-08-01
    oval:com.redhat.rhsa:def:20225799
    P
    		RHSA-2022:5799: go-toolset and golang security and bug fix update (Important)
    2022-08-01
    oval:org.opensuse.security:def:3693
    P
    		libupsclient1-2.7.4-3.3.1 on GA media (Moderate)
    2022-06-28
    oval:org.opensuse.security:def:3694
    P
    		libusbmuxd4-1.0.10-2.3 on GA media (Moderate)
    2022-06-28
    oval:org.opensuse.security:def:518
    P
    		Security update for go1.18 (Important)
    2022-06-07
    oval:org.opensuse.security:def:1177
    P
    		Security update for go1.17 (Important)
    2022-06-07
    oval:org.opensuse.security:def:95323
    P
    		Security update for go1.17 (Important)
    2022-06-07
    oval:org.opensuse.security:def:1178
    P
    		Security update for go1.18 (Important)
    2022-06-07
    oval:org.opensuse.security:def:95324
    P
    		Security update for go1.18 (Important)
    2022-06-07
    oval:org.opensuse.security:def:517
    P
    		Security update for go1.17 (Important)
    2022-06-07
    BACK
    ibm spectrum protect plus 10.1.0
    ibm spectrum protect plus 10.1.5
    ibm event streams 10.0.0
    ibm event streams 10.1.0
    ibm spectrum protect plus 10.1.7
    ibm event streams 10.2.0
    ibm event streams 10.3.0
    ibm event streams 10.3.1
    ibm spectrum copy data management 2.2.0.0
    ibm robotic process automation 21.0.1
    ibm robotic process automation 21.0.2
    ibm app connect enterprise certified container 4.1
    ibm cics tx 11.1
    ibm app connect enterprise certified container 4.2
    ibm robotic process automation 21.0.3
    ibm robotic process automation 21.0.4
    ibm app connect enterprise certified container 5.0
    ibm app connect enterprise certified container 5.1
    ibm app connect enterprise certified container 5.2