New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

crypto/x509: CPU denial of service in chain validation #29233

Closed
dmitshur opened this Issue Dec 13, 2018 · 6 comments

Comments

Projects
None yet
4 participants
@dmitshur
Copy link
Member

dmitshur commented Dec 13, 2018

Package crypto/x509 parses and validates X.509-encoded keys and certificates. It's supposed to handle certificate chains provided by an attacker with reasonable resource use.

The crypto/x509 package does not limit the amount of work performed for each chain verification, which might allow attackers to craft pathological inputs leading to a CPU denial of service. Go TLS servers accepting client certificates and TLS clients verifying certificates are affected.

Thanks to Netflix for discovering and reporting this issue.

This issue is CVE-2018-16875.

@FiloSottile

This comment has been minimized.

Copy link
Member

FiloSottile commented Dec 13, 2018

Fixed in Go 1.11.3 by df52396.
Fixed in Go 1.10.6 by 0a4a37f.

@dmitshur dmitshur changed the title crypto/x509: CPU denial of service crypto/x509: CPU denial of service in chain validation Dec 13, 2018

thaJeztah added a commit to thaJeztah/docker that referenced this issue Dec 13, 2018

Bump Golang 1.11.3 (CVE-2018-16875)
go1.11.1 (released 2018/12/14)

- crypto/x509: CPU denial of service in chain validation golang/go#29233
- cmd/go: directory traversal in "go get" via curly braces in import paths golang/go#29231
- cmd/go: remote command execution during "go get -u" golang/go#29230

See the Go 1.11.1 milestone on the issue tracker for details:
https://github.com/golang/go/issues?q=milestone%3AGo1.11.1

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>

thaJeztah added a commit to thaJeztah/docker that referenced this issue Dec 13, 2018

Bump Golang 1.10.6 (CVE-2018-16875)
go1.10.6 (released 2018/12/14)

- crypto/x509: CPU denial of service in chain validation golang/go#29233
- cmd/go: directory traversal in "go get" via curly braces in import paths golang/go#29231
- cmd/go: remote command execution during "go get -u" golang/go#29230

See the Go 1.10.6 milestone on the issue tracker for details:
https://github.com/golang/go/issues?q=milestone%3AGo1.10.6

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>

thaJeztah added a commit to thaJeztah/docker that referenced this issue Dec 13, 2018

Bump Golang 1.11.3 (CVE-2018-16875)
go1.11.13 (released 2018/12/14)

- crypto/x509: CPU denial of service in chain validation golang/go#29233
- cmd/go: directory traversal in "go get" via curly braces in import paths golang/go#29231
- cmd/go: remote command execution during "go get -u" golang/go#29230

See the Go 1.11.3 milestone on the issue tracker for details:
https://github.com/golang/go/issues?q=milestone%3AGo1.11.3

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
@gopherbot

This comment has been minimized.

Copy link

gopherbot commented Dec 13, 2018

Change https://golang.org/cl/154105 mentions this issue: crypto/x509: limit number of signature checks for each verification

thaJeztah added a commit to thaJeztah/golang-cross that referenced this issue Dec 13, 2018

Bump Golang 1.11.3 (CVE-2018-16875)
go1.11.13 (released 2018/12/14)

- crypto/x509: CPU denial of service in chain validation golang/go#29233
- cmd/go: directory traversal in "go get" via curly braces in import paths golang/go#29231
- cmd/go: remote command execution during "go get -u" golang/go#29230

See the Go 1.11.3 milestone on the issue tracker for details:
https://github.com/golang/go/issues?q=milestone%3AGo1.11.3

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>

thaJeztah added a commit to thaJeztah/golang-cross that referenced this issue Dec 14, 2018

Bump Golang 1.10.6 (CVE-2018-16875)
go1.10.6 (released 2018/12/14)

- crypto/x509: CPU denial of service in chain validation golang/go#29233
- cmd/go: directory traversal in "go get" via curly braces in import paths golang/go#29231
- cmd/go: remote command execution during "go get -u" golang/go#29230

See the Go 1.10.6 milestone on the issue tracker for details:
https://github.com/golang/go/issues?q=milestone%3AGo1.10.6

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>

thaJeztah added a commit to thaJeztah/cli that referenced this issue Dec 14, 2018

Bump Golang 1.10.6 (CVE-2018-16875)
go1.10.6 (released 2018/12/14)

- crypto/x509: CPU denial of service in chain validation golang/go#29233
- cmd/go: directory traversal in "go get" via curly braces in import paths golang/go#29231
- cmd/go: remote command execution during "go get -u" golang/go#29230

See the Go 1.10.6 milestone on the issue tracker for details:
https://github.com/golang/go/issues?q=milestone%3AGo1.10.6

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>

thaJeztah added a commit to thaJeztah/cli that referenced this issue Dec 14, 2018

Bump Golang 1.10.6 (CVE-2018-16875)
go1.10.6 (released 2018/12/14)

- crypto/x509: CPU denial of service in chain validation golang/go#29233
- cmd/go: directory traversal in "go get" via curly braces in import paths golang/go#29231
- cmd/go: remote command execution during "go get -u" golang/go#29230

See the Go 1.10.6 milestone on the issue tracker for details:
https://github.com/golang/go/issues?q=milestone%3AGo1.10.6

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>

@gopherbot gopherbot closed this in 7701306 Dec 14, 2018

thaJeztah added a commit to thaJeztah/docker-ce-packaging that referenced this issue Dec 14, 2018

Bump Golang 1.11.3 (CVE-2018-16875)
go1.11.13 (released 2018/12/14)

- crypto/x509: CPU denial of service in chain validation golang/go#29233
- cmd/go: directory traversal in "go get" via curly braces in import paths golang/go#29231
- cmd/go: remote command execution during "go get -u" golang/go#29230

See the Go 1.11.3 milestone on the issue tracker for details:
https://github.com/golang/go/issues?q=milestone%3AGo1.11.3

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>

zouyee added a commit to zouyee/test-infra that referenced this issue Dec 14, 2018

CVE-2018-16875
From golang/go#29233

Package crypto/x509 parses and validates X.509-encoded keys and certificates. It's supposed to handle certificate chains provided by an attacker with reasonable resource use.

The crypto/x509 package does not limit the amount of work performed for each chain verification, which might allow attackers to craft pathological inputs leading to a CPU denial of service. Go TLS servers accepting client certificates and TLS clients verifying certificates are affected.

Go 1.11.3 and 1.10.6 have been released with this fixed.

thaJeztah added a commit to thaJeztah/docker-ce-packaging that referenced this issue Dec 14, 2018

Bump Golang 1.11.3 (CVE-2018-16875)
go1.11.3 (released 2018/12/14)

- crypto/x509: CPU denial of service in chain validation golang/go#29233
- cmd/go: directory traversal in "go get" via curly braces in import paths golang/go#29231
- cmd/go: remote command execution during "go get -u" golang/go#29230

See the Go 1.11.3 milestone on the issue tracker for details:
https://github.com/golang/go/issues?q=milestone%3AGo1.11.3

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>

thaJeztah added a commit to thaJeztah/docker-ce-packaging that referenced this issue Dec 14, 2018

Bump Golang 1.11.3 (CVE-2018-16875)
go1.11.3 (released 2018/12/14)

- crypto/x509: CPU denial of service in chain validation golang/go#29233
- cmd/go: directory traversal in "go get" via curly braces in import paths golang/go#29231
- cmd/go: remote command execution during "go get -u" golang/go#29230

See the Go 1.11.3 milestone on the issue tracker for details:
https://github.com/golang/go/issues?q=milestone%3AGo1.11.3

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>

bweston92 added a commit to bweston92/charts that referenced this issue Dec 18, 2018

Bump Traefik version to 1.7.6 resolved CVE-2018-16875
* Issue: [golang/go#29233]
* Release of Traefik with fix: [https://github.com/containous/traefik/releases/tag/v1.7.6]

Signed-off-by: Bradley Weston <hello@bweston.me>

PirminTapken added a commit to Jimdo/download-watch that referenced this issue Dec 18, 2018

PirminTapken added a commit to Jimdo/yaml-vault that referenced this issue Dec 18, 2018

PirminTapken added a commit to Jimdo/vault-unseal that referenced this issue Dec 18, 2018

PirminTapken added a commit to Jimdo/ec2-filter that referenced this issue Dec 18, 2018

PirminTapken added a commit to Jimdo/pull-request-closer that referenced this issue Dec 18, 2018

PirminTapken added a commit to Jimdo/periodicnoise that referenced this issue Dec 18, 2018

TOOLS-652 use latest go
in order to tackle golang/go#29233

thaJeztah added a commit to thaJeztah/cli that referenced this issue Dec 19, 2018

Bump Golang 1.11.4 (includes fix for CVE-2018-16875)
go1.11.4 (released 2018/12/14) includes fixes to cgo, the compiler, linker,
runtime, documentation, go command, and the net/http and go/types packages. It
includes a fix to a bug introduced in Go 1.11.3 that broke go get for import
path patterns containing "...".

See the Go 1.11.4 milestone for details:
https://github.com/golang/go/issues?q=milestone%3AGo1.11.4+label%3ACherryPickApproved

go1.11.3 (released 2018/12/14)

- crypto/x509: CPU denial of service in chain validation golang/go#29233
- cmd/go: directory traversal in "go get" via curly braces in import paths golang/go#29231
- cmd/go: remote command execution during "go get -u" golang/go#29230

See the Go 1.11.3 milestone on the issue tracker for details:
https://github.com/golang/go/issues?q=milestone%3AGo1.11.3

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>

docker-jenkins pushed a commit to docker/docker-ce that referenced this issue Dec 19, 2018

Bump Golang 1.11.3 (CVE-2018-16875)
go1.11.13 (released 2018/12/14)

- crypto/x509: CPU denial of service in chain validation golang/go#29233
- cmd/go: directory traversal in "go get" via curly braces in import paths golang/go#29231
- cmd/go: remote command execution during "go get -u" golang/go#29230

See the Go 1.11.3 milestone on the issue tracker for details:
https://github.com/golang/go/issues?q=milestone%3AGo1.11.3

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Upstream-commit: 6b7c093b0de21d574ce120aee891e60187749174
Component: engine

cirocosta pushed a commit to concourse/charts that referenced this issue Dec 20, 2018

Bump Traefik version to 1.7.6 resolved CVE-2018-16875 (helm#10096)
* Bump Traefik version to 1.7.6 resolved CVE-2018-16875

* Issue: [golang/go#29233]
* Release of Traefik with fix: [https://github.com/containous/traefik/releases/tag/v1.7.6]

Signed-off-by: Bradley Weston <hello@bweston.me>

* fix chart and readme

Signed-off-by: David J. M. Karlsen <david@davidkarlsen.com>

coreypobrien added a commit to reactiveops/helm-charts that referenced this issue Dec 31, 2018

Bump Traefik version to 1.7.6 resolved CVE-2018-16875 (helm#10096)
* Bump Traefik version to 1.7.6 resolved CVE-2018-16875

* Issue: [golang/go#29233]
* Release of Traefik with fix: [https://github.com/containous/traefik/releases/tag/v1.7.6]

Signed-off-by: Bradley Weston <hello@bweston.me>

* fix chart and readme

Signed-off-by: David J. M. Karlsen <david@davidkarlsen.com>

ivanmp91 pushed a commit to softonic/charts that referenced this issue Jan 3, 2019

Bump Traefik version to 1.7.6 resolved CVE-2018-16875 (helm#10096)
* Bump Traefik version to 1.7.6 resolved CVE-2018-16875

* Issue: [golang/go#29233]
* Release of Traefik with fix: [https://github.com/containous/traefik/releases/tag/v1.7.6]

Signed-off-by: Bradley Weston <hello@bweston.me>

* fix chart and readme

Signed-off-by: David J. M. Karlsen <david@davidkarlsen.com>
Signed-off-by: Iván Mora <ivan.mora@ST-A135-5LLG8WP.domino.softonic.com>

docker-jenkins pushed a commit to docker/docker-ce that referenced this issue Jan 8, 2019

Bump Golang 1.11.4 (includes fix for CVE-2018-16875)
go1.11.4 (released 2018/12/14) includes fixes to cgo, the compiler, linker,
runtime, documentation, go command, and the net/http and go/types packages. It
includes a fix to a bug introduced in Go 1.11.3 that broke go get for import
path patterns containing "...".

See the Go 1.11.4 milestone for details:
https://github.com/golang/go/issues?q=milestone%3AGo1.11.4+label%3ACherryPickApproved

go1.11.3 (released 2018/12/14)

- crypto/x509: CPU denial of service in chain validation golang/go#29233
- cmd/go: directory traversal in "go get" via curly braces in import paths golang/go#29231
- cmd/go: remote command execution during "go get -u" golang/go#29230

See the Go 1.11.3 milestone on the issue tracker for details:
https://github.com/golang/go/issues?q=milestone%3AGo1.11.3

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Upstream-commit: deaf6e13ab067e6794d20ec980b4ae216b65d07c
Component: cli

wgiddens pushed a commit to wgiddens/charts that referenced this issue Jan 18, 2019

Bump Traefik version to 1.7.6 resolved CVE-2018-16875 (helm#10096)
* Bump Traefik version to 1.7.6 resolved CVE-2018-16875

* Issue: [golang/go#29233]
* Release of Traefik with fix: [https://github.com/containous/traefik/releases/tag/v1.7.6]

Signed-off-by: Bradley Weston <hello@bweston.me>

* fix chart and readme

Signed-off-by: David J. M. Karlsen <david@davidkarlsen.com>
@abarisani

This comment has been minimized.

Copy link

abarisani commented Jan 31, 2019

I am experiencing failure in tls.RequireAndVerifyClientCert with otherwise previously valid combination of CA - Client Certificate.

The TLS server, compiled with go1.11.2 happily accepts the client certificate validated against the CA.

However the TLS server, compiled with go1.11.3, raises a tls: failed to verify client's certificate: x509: certificate signed by unknown authority.

Are there known incompatibilities caused by this patch when evaluating CAs for inclusion incertPool.AppendCertsFromPEM or verified with a tls.Config using ClientAuth: tls.RequireAndVerifyClientCert ?

@abarisani

This comment has been minimized.

Copy link

abarisani commented Jan 31, 2019

The issue appeared to be linked to changes in func (s *CertPool) findPotentialParents(cert *Certificate) []int.

My certificate has an AuthorityKeyId, however the certificate pool only has the byName map filled.

The previous logic reverted to finding candidates by name if none were found by AuthorityKeyId, the new code does not.

@dmitshur

This comment has been minimized.

Copy link
Member Author

dmitshur commented Jan 31, 2019

/cc @FiloSottile Can you tell if the above is a problem with the fix? If you need more information, let's ask @abarisani to make a new issue report, and reference this closed issue in it.

@gopherbot

This comment has been minimized.

Copy link

gopherbot commented Feb 4, 2019

Change https://golang.org/cl/161097 mentions this issue: crypto/x509: consider parents by Subject if AKID has no match

gopherbot pushed a commit that referenced this issue Feb 7, 2019

crypto/x509: consider parents by Subject if AKID has no match
If a certificate somehow has an AKID, it should still chain successfully
to a parent without a SKID, even if the latter is invalid according to
RFC 5280, because only the Subject is authoritative.

This reverts to the behavior before #29233 was fixed in 7701306. Roots
with the right subject will still be shadowed by roots with the right
SKID and the wrong subject, but that's been the case for a long time, and
is left for a more complete fix in Go 1.13.

Updates #30079

Change-Id: If8ab0179aca86cb74caa926d1ef93fb5e416b4bb
Reviewed-on: https://go-review.googlesource.com/c/161097
Reviewed-by: Adam Langley <agl@golang.org>

nebulabox added a commit to nebulabox/go that referenced this issue Feb 18, 2019

crypto/x509: consider parents by Subject if AKID has no match
If a certificate somehow has an AKID, it should still chain successfully
to a parent without a SKID, even if the latter is invalid according to
RFC 5280, because only the Subject is authoritative.

This reverts to the behavior before golang#29233 was fixed in 7701306. Roots
with the right subject will still be shadowed by roots with the right
SKID and the wrong subject, but that's been the case for a long time, and
is left for a more complete fix in Go 1.13.

Updates golang#30079

Change-Id: If8ab0179aca86cb74caa926d1ef93fb5e416b4bb
Reviewed-on: https://go-review.googlesource.com/c/161097
Reviewed-by: Adam Langley <agl@golang.org>

nebulabox added a commit to nebulabox/go that referenced this issue Feb 20, 2019

crypto/x509: consider parents by Subject if AKID has no match
If a certificate somehow has an AKID, it should still chain successfully
to a parent without a SKID, even if the latter is invalid according to
RFC 5280, because only the Subject is authoritative.

This reverts to the behavior before golang#29233 was fixed in 7701306. Roots
with the right subject will still be shadowed by roots with the right
SKID and the wrong subject, but that's been the case for a long time, and
is left for a more complete fix in Go 1.13.

Updates golang#30079

Change-Id: If8ab0179aca86cb74caa926d1ef93fb5e416b4bb
Reviewed-on: https://go-review.googlesource.com/c/161097
Reviewed-by: Adam Langley <agl@golang.org>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment