First Last Prev Next    This bug is not in your last search results.
Bug 1197284 - (CVE-2022-27191) VUL-0: CVE-2022-27191: docker, containerd, kubernetes, helm, helm3, etcd: crash in a golang.org/x/crypto/ssh server
(CVE-2022-27191)
VUL-0: CVE-2022-27191: docker, containerd, kubernetes, helm, helm3, etcd: cra...
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Major
: ---
Assigned To: Jeff Kowalczyk
Security Team bot
https://smash.suse.de/issue/326380/
CVSSv3.1:SUSE:CVE-2022-27191:7.5:(AV:...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2022-03-18 11:10 UTC by Thomas Leroy
Modified: 2023-03-20 12:14 UTC (History)
11 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Thomas Leroy 2022-03-18 11:10:50 UTC 
rh#2064702

A potential crash in a golang.org/x/crypto/ssh server under these conditions:

• The server has been configured by passing a Signer to ServerConfig.AddHostKey.
• The Signer passed to AddHostKey does not also implement AlgorithmSigner.
• The Signer passed to AddHostKey does return a key of type “ssh-rsa” from its PublicKey method.

References:
https://bugzilla.redhat.com/show_bug.cgi?id=2064702
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-27191
Comment 1 Thomas Leroy 2022-03-18 12:46:48 UTC 
Upstream fix commit:
https://github.com/golang/crypto/commit/1baeb1ce4c0b006eff0f294c47cb7617598dfb3d

Fixed in packages version  v0.0.0-20220314234659-1baeb1ce4c0b
Comment 2 Thomas Leroy 2022-03-25 11:33:53 UTC 
I actually don't know if we ship the  golang.org/x/crypto package. It does't look like
Comment 4 Aleksa Sarai 2022-04-30 01:51:25 UTC 
(In reply to Thomas Leroy from comment #2)
> I actually don't know if we ship the  golang.org/x/crypto package. It does't
> look like

golang.org/x/crypto is a library, so any Go program we ship that uses their SSH server implementation is affected.
Comment 5 Jeff Kowalczyk 2022-05-01 21:26:48 UTC 
(In reply to Aleksa Sarai from comment #4)
> (In reply to Thomas Leroy from comment #2)
> > I actually don't know if we ship the  golang.org/x/crypto package. It does't
> > look like
> 
> golang.org/x/crypto is a library, so any Go program we ship that uses their
> SSH server implementation is affected.

After investigation, the go1.x tool chain packages are not affected by the CVE. Go applications which import golang.org/x/crypto/ssh specifically can be affected until updated, and we document a method to check both package sources and built binaries.

From the CVE:

The golang.org/x/crypto/ssh package before 0.0.0-20220314234659-1baeb1ce4c0b for Go allows an attacker to crash a server in certain circumstances involving AddHostKey.

go1.x upstream releases do vendor the module golang.org/x/crypto (at $BUILD/go/src/vendor/golang.org/x/crypto) and the currently vendored versions are older than the fixed version:

$ grep crypto go1.17/go/src/vendor/modules.txt
# golang.org/x/crypto v0.0.0-20211215165025-cf75a172585e

$ grep crypto go1.18/go/src/vendor/modules.txt
# golang.org/x/crypto v0.0.0-20211215153901-e495a2d5b3d3

Where it gets interesting for this CVE tracking issue is that the affected package golang.org/x/crypto/ssh (one part of module golang.org/x/crypto)
is not included in the go1.x releases:

Package sources (unpacked):

devel:languages:go $ find go1.1{7,8}/go -type d -name ssh

A sibling package as a sanity check that we are looking the right places:

devel:languages:go $ find go1.1{7,8}/go -type d -name hkdf
go1.17/go/src/vendor/golang.org/x/crypto/hkdf
go1.18/go/src/vendor/golang.org/x/crypto/hkdf

Package contents:

rpm -ql go1.1{7,8} |grep ssh
(no results)

The go mod vendor operation pulls in only packages which are imported by Go sources. The go1.x release sources and dependencies never import golang.org/x/crypto/ssh so the ssh package is not vendored.

Relevance for other Go applications

The Go module Minimum Version Selection (MVS) strategy selects the minimum version that satisfies the transitive set of dependencies included by the top level go.mod listing found by go build and related commands. Any Go application which imports the golang.org/x/crypto/ssh package should likely use a version newer than 0.0.0-20220314234659-1baeb1ce4c0b to address the CVE.

Each Go application or library will record a pinned version of a dependency as of the most recent version when upstream maintainers updated go.mod using e.g. go get importname@latest. While is possible for packagers to locally override to require a newer go module as a short term fix, the Go recommendation is to submit a version bump PR to the relevant Go module upstream. The theory is that updates will propagate at the speed at which they are actually needed, in contrast to the latest available version selection model commonly used by other language package managers.

For go1.18+, Go binaries can be queried for embedded build metadata e.g.:

$ go version -m $(which hugo) |grep crypto
dep     golang.org/x/crypto     v0.0.0-20211108221036-ceb1ce70b4fa

This correlates to the top level metadata contents of vendor/modules.txt in build sources,
vendor/ typically being populated in an online phase with obs-service-go_modules:

devel:languages:go $ grep crypto hugo/vendor/modules.txt
# golang.org/x/crypto v0.0.0-20211108221036-ceb1ce70b4fa
golang.org/x/crypto/pkcs12
golang.org/x/crypto/pkcs12/internal/rc2

Here, a pre-CVE version of golang.org/x/crypto is imported, but package ssh is not used, and the application is not affected. Currently, the go version -m command does not list the package level usage present in vendor/modules.txt

https://pkg.go.dev/golang.org/x/crypto is an example of a package which as of this writing has not made any traditional numbered releases. This may be in part related to its infrastructure location as a feature testing incubator adjacent to but not part of the standard library. Since there are no release announcements for this type of module, from observation it seems that dependent packages maintainers receive fewer prompts to update their pinned versions. Propagation of newer versions seems to happen more slowly in these cases.
Comment 6 Swamp Workflow Management 2022-05-03 19:24:09 UTC 
SUSE-SU-2022:1507-1: An update that solves 5 vulnerabilities and has one errata is now available.

Category: security (important)
Bug References: 1192814,1193273,1193930,1196441,1197284,1197517
CVE References: CVE-2021-41190,CVE-2021-43565,CVE-2022-23648,CVE-2022-24769,CVE-2022-27191
JIRA References: 
Sources used:
SUSE Linux Enterprise Module for Containers 12 (src):    containerd-1.5.11-16.57.1, docker-20.10.14_ce-98.80.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 7 Thomas Leroy 2022-05-04 15:36:04 UTC 
Thank you very much for the investigations Jeff. Let me track Docker, containerd and Kubernetes as potentially affected for the moment.
We definitely need something that tracks every packages that we ship, built with a given module/package... We are working on it
Comment 8 Thomas Leroy 2022-05-05 10:25:21 UTC 
For Kubernetes:

- SUSE:SLE-12:Update
 > $ grep -RFn 'golang.org/x/crypto' -A 2                                                                                                                                                                                                    
---
Godeps/Godeps.json:1971:                        "ImportPath": "golang.org/x/crypto/ssh",
Godeps/Godeps.json-1972-                        "Rev": "c84e1f8e3a7e322d497cd16c0e8a13c7e127baf3" // From 2015: Affected
Godeps/Godeps.json-1973-                },

- SUSE:SLE-15-SP1:Update:Products:CASP40:Update
> $ grep crypto kubernetes-1.17.17/vendor/modules.txt                                                                                                                                                                               
# golang.org/x/crypto v0.0.0-20200220183623-bac4c82f6975 => golang.org/x/crypto v0.0.0-20200220183623-bac4c82f6975   // Affected
---
golang.org/x/crypto/ssh
golang.org/x/crypto/ssh/internal/bcrypt_pbkdf
golang.org/x/crypto/ssh/terminal


For containerd:

- SUSE:SLE-12:Update

> $ | grep crypto vendor/modules.txt                                                                                                                                                                                                   
github.com/containers/ocicrypt/crypto/pkcs11
# golang.org/x/crypto v0.0.0-20210322153248-0c34fe9e7dc2    // Affected
---
golang.org/x/crypto/ssh/terminal

- SUSE:SLE-15:Update 

> $ grep crypto vendor.conf                                                                                                                                                                                                                 
golang.org/x/crypto                                 75b288015ac94e66e3d6715fb68a9b41bf046ec2 // From 2020: Affected
Comment 9 Thomas Leroy 2022-05-05 10:54:26 UTC 
Should also be affected:
- SUSE:SLE-15:Update/helm
- SUSE:SLE-15-SP1:Update:Products:CASP40:Update/helm3

etcd upstream updated their crypto dependency, but it looks like our SUSE:SLE-15-SP1:Update:Products:CASP40:Update/etcd is not using crypto/ssh package.
Comment 10 Swamp Workflow Management 2022-05-16 16:18:47 UTC 
SUSE-SU-2022:1689-1: An update that fixes four vulnerabilities is now available.

Category: security (important)
Bug References: 1193930,1196441,1197284,1197517
CVE References: CVE-2021-43565,CVE-2022-23648,CVE-2022-24769,CVE-2022-27191
JIRA References: 
Sources used:
openSUSE Leap 15.4 (src):    containerd-1.5.11-150000.68.1, docker-20.10.14_ce-150000.163.1, docker-kubic-20.10.14_ce-150000.163.1
openSUSE Leap 15.3 (src):    containerd-1.5.11-150000.68.1, docker-20.10.14_ce-150000.163.1, docker-kubic-20.10.14_ce-150000.163.1
SUSE Manager Server 4.1 (src):    containerd-1.5.11-150000.68.1, docker-20.10.14_ce-150000.163.1
SUSE Manager Retail Branch Server 4.1 (src):    containerd-1.5.11-150000.68.1, docker-20.10.14_ce-150000.163.1
SUSE Manager Proxy 4.1 (src):    containerd-1.5.11-150000.68.1, docker-20.10.14_ce-150000.163.1
SUSE Linux Enterprise Server for SAP 15-SP2 (src):    containerd-1.5.11-150000.68.1, docker-20.10.14_ce-150000.163.1
SUSE Linux Enterprise Server for SAP 15-SP1 (src):    containerd-1.5.11-150000.68.1, docker-20.10.14_ce-150000.163.1
SUSE Linux Enterprise Server for SAP 15 (src):    containerd-1.5.11-150000.68.1, docker-20.10.14_ce-150000.163.1
SUSE Linux Enterprise Server 15-SP2-LTSS (src):    containerd-1.5.11-150000.68.1, docker-20.10.14_ce-150000.163.1
SUSE Linux Enterprise Server 15-SP2-BCL (src):    containerd-1.5.11-150000.68.1, docker-20.10.14_ce-150000.163.1
SUSE Linux Enterprise Server 15-SP1-LTSS (src):    containerd-1.5.11-150000.68.1, docker-20.10.14_ce-150000.163.1
SUSE Linux Enterprise Server 15-SP1-BCL (src):    containerd-1.5.11-150000.68.1, docker-20.10.14_ce-150000.163.1
SUSE Linux Enterprise Server 15-LTSS (src):    containerd-1.5.11-150000.68.1, docker-20.10.14_ce-150000.163.1
SUSE Linux Enterprise Module for Packagehub Subpackages 15-SP3 (src):    containerd-1.5.11-150000.68.1
SUSE Linux Enterprise Module for Containers 15-SP4 (src):    containerd-1.5.11-150000.68.1, docker-20.10.14_ce-150000.163.1
SUSE Linux Enterprise Module for Containers 15-SP3 (src):    containerd-1.5.11-150000.68.1, docker-20.10.14_ce-150000.163.1
SUSE Linux Enterprise Micro 5.2 (src):    containerd-1.5.11-150000.68.1, docker-20.10.14_ce-150000.163.1
SUSE Linux Enterprise Micro 5.1 (src):    containerd-1.5.11-150000.68.1, docker-20.10.14_ce-150000.163.1
SUSE Linux Enterprise Micro 5.0 (src):    containerd-1.5.11-150000.68.1, docker-20.10.14_ce-150000.163.1
SUSE Linux Enterprise High Performance Computing 15-SP2-LTSS (src):    containerd-1.5.11-150000.68.1, docker-20.10.14_ce-150000.163.1
SUSE Linux Enterprise High Performance Computing 15-SP2-ESPOS (src):    containerd-1.5.11-150000.68.1, docker-20.10.14_ce-150000.163.1
SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS (src):    containerd-1.5.11-150000.68.1, docker-20.10.14_ce-150000.163.1
SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS (src):    containerd-1.5.11-150000.68.1, docker-20.10.14_ce-150000.163.1
SUSE Linux Enterprise High Performance Computing 15-LTSS (src):    containerd-1.5.11-150000.68.1, docker-20.10.14_ce-150000.163.1
SUSE Linux Enterprise High Performance Computing 15-ESPOS (src):    containerd-1.5.11-150000.68.1, docker-20.10.14_ce-150000.163.1
SUSE Enterprise Storage 7 (src):    containerd-1.5.11-150000.68.1, docker-20.10.14_ce-150000.163.1
SUSE Enterprise Storage 6 (src):    containerd-1.5.11-150000.68.1, docker-20.10.14_ce-150000.163.1
SUSE CaaS Platform 4.0 (src):    containerd-1.5.11-150000.68.1, docker-20.10.14_ce-150000.163.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 12 Hu 2022-08-12 10:09:41 UTC 
@containers-bugowner: 

These codestreams are still affected, could you please take a look? Thanks!
- SUSE:SLE-12:Update/containerd
- SUSE:SLE-15:Update/containerd 

- SUSE:SLE-15-SP1:Update:Products:CASP40:Update/helm3

- SUSE:SLE-12:Update/kubernetes
- SUSE:SLE-15-SP1:Update:Products:CASP40:Update/kubernetes

As CVSS >7, please submit to the codestreams, thanks a lot :)
Comment 13 Swamp Workflow Management 2022-08-17 19:16:58 UTC 
SUSE-SU-2022:2834-1: An update that fixes three vulnerabilities is now available.

Category: security (important)
Bug References: 1182428,1196338,1197284
CVE References: CVE-2022-1227,CVE-2022-21698,CVE-2022-27191
JIRA References: 
Sources used:
openSUSE Leap 15.4 (src):    podman-3.4.7-150400.4.3.1
SUSE Linux Enterprise Module for Containers 15-SP4 (src):    podman-3.4.7-150400.4.3.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 14 Swamp Workflow Management 2022-08-18 10:18:13 UTC 
SUSE-SU-2022:2839-1: An update that fixes three vulnerabilities is now available.

Category: security (important)
Bug References: 1182428,1196338,1197284
CVE References: CVE-2022-1227,CVE-2022-21698,CVE-2022-27191
JIRA References: 
Sources used:
openSUSE Leap 15.3 (src):    podman-3.4.7-150300.9.9.2
SUSE Linux Enterprise Module for Containers 15-SP3 (src):    podman-3.4.7-150300.9.9.2
SUSE Linux Enterprise Micro 5.2 (src):    podman-3.4.7-150300.9.9.2
SUSE Linux Enterprise Micro 5.1 (src):    podman-3.4.7-150300.9.9.2
SUSE Enterprise Storage 7.1 (src):    podman-3.4.7-150300.9.9.2

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 17 Dan Čermák 2022-08-31 08:49:24 UTC 
(In reply to Hu from comment #12)
> @containers-bugowner: 
> 
> These codestreams are still affected, could you please take a look? Thanks!
> - SUSE:SLE-12:Update/containerd
> - SUSE:SLE-15:Update/containerd

A backport has been submitted upstream for these codestreams via: https://github.com/containerd/containerd/pull/7340. We will wait for the next dot-release to automatically pick this up, as upstream does not consider themselves vulnerable.
Comment 18 Swamp Workflow Management 2022-09-01 14:52:00 UTC 
SUSE-SU-2022:2839-2: An update that fixes three vulnerabilities is now available.

Category: security (important)
Bug References: 1182428,1196338,1197284
CVE References: CVE-2022-1227,CVE-2022-21698,CVE-2022-27191
JIRA References: 
Sources used:
openSUSE Leap Micro 5.2 (src):    podman-3.4.7-150300.9.9.2

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 19 Vincent Moutoussamy 2022-09-26 09:39:42 UTC 
Waiting for the successor of containerd: https://github.com/containerd/containerd/releases/tag/v1.6.8
Comment 31 Swamp Workflow Management 2022-12-12 14:19:24 UTC 
SUSE-SU-2022:4409-1: An update that solves two vulnerabilities and has one errata is now available.

Category: security (important)
Bug References: 1197284,1206065,1206235
CVE References: CVE-2022-23471,CVE-2022-27191
JIRA References: 
Sources used:
SUSE Linux Enterprise Module for Containers 12 (src):    containerd-1.6.12-16.68.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 32 Swamp Workflow Management 2022-12-13 20:24:07 UTC 
SUSE-SU-2022:4463-1: An update that solves two vulnerabilities and has one errata is now available.

Category: security (important)
Bug References: 1197284,1206065,1206235
CVE References: CVE-2022-23471,CVE-2022-27191
JIRA References: 
Sources used:
openSUSE Leap Micro 5.3 (src):    containerd-1.6.12-150000.79.1
openSUSE Leap Micro 5.2 (src):    containerd-1.6.12-150000.79.1
openSUSE Leap 15.4 (src):    containerd-1.6.12-150000.79.1
openSUSE Leap 15.3 (src):    containerd-1.6.12-150000.79.1
SUSE Manager Server 4.1 (src):    containerd-1.6.12-150000.79.1
SUSE Manager Retail Branch Server 4.1 (src):    containerd-1.6.12-150000.79.1
SUSE Manager Proxy 4.1 (src):    containerd-1.6.12-150000.79.1
SUSE Linux Enterprise Server for SAP 15-SP2 (src):    containerd-1.6.12-150000.79.1
SUSE Linux Enterprise Server for SAP 15-SP1 (src):    containerd-1.6.12-150000.79.1
SUSE Linux Enterprise Server for SAP 15 (src):    containerd-1.6.12-150000.79.1
SUSE Linux Enterprise Server 15-SP2-LTSS (src):    containerd-1.6.12-150000.79.1
SUSE Linux Enterprise Server 15-SP2-BCL (src):    containerd-1.6.12-150000.79.1
SUSE Linux Enterprise Server 15-SP1-LTSS (src):    containerd-1.6.12-150000.79.1
SUSE Linux Enterprise Server 15-SP1-BCL (src):    containerd-1.6.12-150000.79.1
SUSE Linux Enterprise Server 15-LTSS (src):    containerd-1.6.12-150000.79.1
SUSE Linux Enterprise Module for Packagehub Subpackages 15-SP3 (src):    containerd-1.6.12-150000.79.1
SUSE Linux Enterprise Module for Containers 15-SP4 (src):    containerd-1.6.12-150000.79.1
SUSE Linux Enterprise Module for Containers 15-SP3 (src):    containerd-1.6.12-150000.79.1
SUSE Linux Enterprise Micro 5.3 (src):    containerd-1.6.12-150000.79.1
SUSE Linux Enterprise Micro 5.2 (src):    containerd-1.6.12-150000.79.1
SUSE Linux Enterprise Micro 5.1 (src):    containerd-1.6.12-150000.79.1
SUSE Linux Enterprise High Performance Computing 15-SP2-LTSS (src):    containerd-1.6.12-150000.79.1
SUSE Linux Enterprise High Performance Computing 15-SP2-ESPOS (src):    containerd-1.6.12-150000.79.1
SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS (src):    containerd-1.6.12-150000.79.1
SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS (src):    containerd-1.6.12-150000.79.1
SUSE Linux Enterprise High Performance Computing 15-LTSS (src):    containerd-1.6.12-150000.79.1
SUSE Linux Enterprise High Performance Computing 15-ESPOS (src):    containerd-1.6.12-150000.79.1
SUSE Enterprise Storage 7 (src):    containerd-1.6.12-150000.79.1
SUSE Enterprise Storage 6 (src):    containerd-1.6.12-150000.79.1
SUSE CaaS Platform 4.0 (src):    containerd-1.6.12-150000.79.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 33 Vincent Moutoussamy 2023-01-09 10:47:19 UTC 
I believe this can be close now, what does the Security team think about it?
Comment 34 Vincent Moutoussamy 2023-03-20 10:44:04 UTC 
Closing as MU is out, feel free to reopen if needed
Comment 35 Hu 2023-03-20 12:14:57 UTC 
please reassign to security-team after you are done, so we can check if it can be closed

this one is done, thanks :)
First Last Prev Next    This bug is not in your last search results.