Bug 1123013 (CVE-2019-6486)

Summary: VUL-0: CVE-2019-6486: go: DoS vulnerability in the crypto/elliptic implementations of the P-521 and P-384 elliptic curves
Product: [Novell Products] SUSE Security Incidents Reporter: Karol Babioch <karol>
Component: IncidentsAssignee: Containers Team <containers-bugowner>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Minor    
Priority: P3 - Medium CC: abergmann, asarai, containers-bugowner, fbergmann, fcastelli, jkowalczyk, jmassaguerpla, kkaempf, meissner, smash_bz
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/223658/
Whiteboard: CVSSv3:SUSE:CVE-2019-6486:7.5:(AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Karol Babioch 2019-01-24 10:16:36 UTC
CVE-2019-6486

---

This DoS vulnerability in the crypto/elliptic implementations of the P-521 and P-384 elliptic curves may let an attacker craft inputs that consume excessive amounts of CPU.

These inputs might be delivered via TLS handshakes, X.509 certificates, JWT tokens, ECDH shares or ECDSA signatures. In some cases, if an ECDH private key is reused more than once, the attack can also lead to key recovery.

The issue is CVE-2019-6486 and Go issue golang.org/issue/29903. See the Go issue for more details.

---

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-6486
https://groups.google.com/forum/m/#!topic/golang-announce/mVeX35iXuSw
Comment 2 Jordi Massaguer 2019-01-29 11:57:07 UTC
Assigning to containers team so the bug squad leader can plan for this one.
@Florian, is there anything we need to do to have this in our backlog?
Comment 4 Karol Babioch 2019-01-30 11:03:02 UTC
Scanning Factory for packages that import this Go packages, yielded the following result:

caasp-dex is importing crypto/elliptic
chartmuseum is importing crypto/elliptic
coredns is importing crypto/elliptic
dex-oidc is importing crypto/elliptic
etcd is importing crypto/elliptic
golang-org-x-crypto is importing crypto/elliptic
heapster is importing crypto/elliptic
helm is importing crypto/elliptic
kbfs is importing crypto/elliptic
kubernetes-dashboard is importing crypto/elliptic
kubernetes is importing crypto/elliptic
kured is importing crypto/elliptic
sonobuoy is importing crypto/elliptic
syncthing is importing crypto/elliptic

We should at least fix/rebuild those packages that are also used in our SLE products.
Comment 5 Flavio Castelli 2019-01-30 11:29:13 UTC
Adding Jeff to CC, he's the maintainer of Go at SUSE.

We can take care of the packages related with CaaSP, but not about the others (for example synchthing)
Comment 7 Swamp Workflow Management 2019-02-27 11:01:53 UTC
This is an autogenerated message for OBS integration:
This bug (1123013) was mentioned in
https://build.opensuse.org/request/show/679777 Factory / go1.11
Comment 9 Swamp Workflow Management 2019-03-19 20:09:19 UTC
SUSE-SU-2019:0651-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 1123013
CVE References: CVE-2019-6486
Sources used:
SUSE Linux Enterprise Module for Open Buildservice Development Tools 15 (src):    go1.11-1.11.5-1.9.1
Comment 10 Swamp Workflow Management 2019-03-25 11:11:31 UTC
This is an autogenerated message for OBS integration:
This bug (1123013) was mentioned in
https://build.opensuse.org/request/show/688187 Factory / go1.12
Comment 12 Swamp Workflow Management 2019-04-05 19:25:29 UTC
openSUSE-SU-2019:1164-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 1123013
CVE References: CVE-2019-6486
Sources used:
openSUSE Leap 15.0 (src):    go1.11-1.11.5-lp150.6.4

*** NOTE: This information is not intended to be used for external
    communication, because this may only be a partial fix.
    If you have questions please reach out to maintenance coordination.
Comment 16 Swamp Workflow Management 2019-05-14 22:40:04 UTC
SUSE-SU-2019:1234-1: An update that solves 5 vulnerabilities and has 6 fixes is now available.

Category: security (important)
Bug References: 1114209,1114832,1118897,1118898,1118899,1121397,1121967,1123013,1128376,1128746,1134068
CVE References: CVE-2018-16873,CVE-2018-16874,CVE-2018-16875,CVE-2019-5736,CVE-2019-6486
Sources used:
SUSE Linux Enterprise Module for Open Buildservice Development Tools 15 (src):    containerd-1.2.5-5.13.1, docker-18.09.6_ce-6.17.1, docker-runc-1.0.0rc6+gitr3804_2b18fe1d885e-6.18.1, go-1.12-3.10.1, go1.11-1.11.9-1.12.1, go1.12-1.12.4-1.9.1, golang-github-docker-libnetwork-0.7.0.1+gitr2726_872f0a83c98a-4.12.1
SUSE Linux Enterprise Module for Containers 15 (src):    containerd-1.2.5-5.13.1, docker-18.09.6_ce-6.17.1, docker-runc-1.0.0rc6+gitr3804_2b18fe1d885e-6.18.1, golang-github-docker-libnetwork-0.7.0.1+gitr2726_872f0a83c98a-4.12.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 17 Swamp Workflow Management 2019-05-16 13:41:24 UTC
SUSE-SU-2019:1264-1: An update that solves four vulnerabilities and has 6 fixes is now available.

Category: security (important)
Bug References: 1114209,1114832,1118897,1118898,1118899,1121397,1123013,1128376,1128746,1134068
CVE References: CVE-2018-16873,CVE-2018-16874,CVE-2018-16875,CVE-2019-6486
Sources used:
SUSE Linux Enterprise Module for Containers 12 (src):    containerd-1.2.5-16.17.2, docker-18.09.6_ce-98.37.1, docker-runc-1.0.0rc6+gitr3804_2b18fe1d885e-1.23.1, golang-github-docker-libnetwork-0.7.0.1+gitr2726_872f0a83c98a-19.1
SUSE CaaS Platform 3.0 (src):    containerd-kubic-1.2.5-16.17.2, docker-kubic-18.09.6_ce-98.37.1, docker-runc-kubic-1.0.0rc6+gitr3804_2b18fe1d885e-1.23.1, golang-github-docker-libnetwork-kubic-0.7.0.1+gitr2726_872f0a83c98a-19.1
OpenStack Cloud Magnum Orchestration 7 (src):    containerd-1.2.5-16.17.2, docker-18.09.6_ce-98.37.1, docker-runc-1.0.0rc6+gitr3804_2b18fe1d885e-1.23.1, golang-github-docker-libnetwork-0.7.0.1+gitr2726_872f0a83c98a-19.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 18 Swamp Workflow Management 2019-06-03 13:13:33 UTC
openSUSE-SU-2019:1499-1: An update that solves 5 vulnerabilities and has 6 fixes is now available.

Category: security (important)
Bug References: 1114209,1114832,1118897,1118898,1118899,1121397,1121967,1123013,1128376,1128746,1134068
CVE References: CVE-2018-16873,CVE-2018-16874,CVE-2018-16875,CVE-2019-5736,CVE-2019-6486
Sources used:
openSUSE Leap 15.0 (src):    containerd-1.2.5-lp150.4.14.3, docker-18.09.6_ce-lp150.5.17.2, docker-runc-1.0.0rc6+gitr3804_2b18fe1d885e-lp150.5.21.2, go-1.12-lp150.2.11.1, go1.11-1.11.9-lp150.9.3, go1.12-1.12.4-lp150.2.2, golang-github-docker-libnetwork-0.7.0.1+gitr2726_872f0a83c98a-lp150.3.14.1
Comment 19 Swamp Workflow Management 2019-06-13 19:13:02 UTC
SUSE-SU-2019:1234-2: An update that solves 5 vulnerabilities and has 6 fixes is now available.

Category: security (important)
Bug References: 1114209,1114832,1118897,1118898,1118899,1121397,1121967,1123013,1128376,1128746,1134068
CVE References: CVE-2018-16873,CVE-2018-16874,CVE-2018-16875,CVE-2019-5736,CVE-2019-6486
Sources used:
SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (src):    containerd-1.2.5-5.13.1, docker-18.09.6_ce-6.17.1, docker-runc-1.0.0rc6+gitr3804_2b18fe1d885e-6.18.1, go-1.12-3.10.1, go1.11-1.11.9-1.12.1, go1.12-1.12.4-1.9.1, golang-github-docker-libnetwork-0.7.0.1+gitr2726_872f0a83c98a-4.12.1
SUSE Linux Enterprise Module for Containers 15-SP1 (src):    containerd-1.2.5-5.13.1, docker-18.09.6_ce-6.17.1, docker-runc-1.0.0rc6+gitr3804_2b18fe1d885e-6.18.1, golang-github-docker-libnetwork-0.7.0.1+gitr2726_872f0a83c98a-4.12.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 20 Flavio Castelli 2019-09-23 09:21:04 UTC
I think this can be now closed as fixed.
Comment 21 Klaus Kämpf 2020-08-21 13:47:44 UTC
closed
Comment 22 OBSbugzilla Bot 2021-02-24 06:20:06 UTC
This is an autogenerated message for OBS integration:
This bug (1123013) was mentioned in
https://build.opensuse.org/request/show/874754 Factory / go