{ "threat_severity" : "Moderate", "public_date" : "2023-03-08T00:00:00Z", "bugzilla" : { "description" : "golang: crypto/internal/nistec: specific unreduced P-256 scalars produce incorrect results", "id" : "2223355", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2223355" }, "cvss3" : { "cvss3_base_score" : "5.3", "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "status" : "verified" }, "cwe" : "CWE-682", "details" : [ "The ScalarMult and ScalarBaseMult methods of the P256 Curve may return an incorrect result if called with some specific unreduced scalars (a scalar larger than the order of the curve). This does not impact usages of crypto/ecdsa or crypto/ecdh.", "A flaw was found in the crypto/internal/nistec golang library. The ScalarMult and ScalarBaseMult methods of the P256 Curve may return an incorrect result if called with some specific unreduced scalars, such as a scalar larger than the order of the curve. This does not impact usages of crypto/ecdsa or crypto/ecdh." ], "affected_release" : [ { "product_name" : "MTA-6.2-RHEL-9", "release_date" : "2023-08-14T00:00:00Z", "advisory" : "RHSA-2023:4627", "cpe" : "cpe:/a:redhat:migration_toolkit_applications:6.2::el9", "package" : "mta/mta-hub-rhel9:6.2.0-16" }, { "product_name" : "OADP-1.1-RHEL-8", "release_date" : "2023-09-20T00:00:00Z", "advisory" : "RHSA-2023:5314", "cpe" : "cpe:/a:redhat:openshift_api_data_protection:1.1::el8", "package" : "oadp/oadp-velero-rhel8:1.1.6-7" }, { "product_name" : "OSSO-1.1-RHEL-8", "release_date" : "2023-08-23T00:00:00Z", "advisory" : "RHSA-2023:4657", "cpe" : "cpe:/a:redhat:openshift_secondary_scheduler:1.1::el8", "package" : "openshift-secondary-scheduler-operator/secondary-scheduler-operator-rhel8:v1.1-30" }, { "product_name" : "Red Hat Enterprise Linux 8", "release_date" : "2023-05-25T00:00:00Z", "advisory" : "RHSA-2023:3319", "cpe" : "cpe:/a:redhat:enterprise_linux:8", "package" : "go-toolset:rhel8-8080020230517172404.6b4b45d8" }, { "product_name" : "Red Hat Enterprise Linux 9", "release_date" : "2023-05-25T00:00:00Z", "advisory" : "RHSA-2023:3318", "cpe" : "cpe:/a:redhat:enterprise_linux:9", "package" : "golang-0:1.19.9-2.el9_2" }, { "product_name" : "Red Hat Migration Toolkit for Containers 1.7", "release_date" : "2023-08-31T00:00:00Z", "advisory" : "RHSA-2023:4892", "cpe" : "cpe:/a:redhat:rhmt:1.7::el8", "package" : "rhmtc/openshift-velero-plugin-rhel8:v1.7.12-1" }, { "product_name" : "Red Hat OpenStack Platform 16.2", "release_date" : "2023-10-19T00:00:00Z", "advisory" : "RHSA-2023:5935", "cpe" : "cpe:/a:redhat:openstack:16.2::el8", "package" : "rhosp-rhel8/osp-director-agent:1.3.0-10" }, { "product_name" : "Red Hat OpenStack Platform 16.2", "release_date" : "2023-10-19T00:00:00Z", "advisory" : "RHSA-2023:5935", "cpe" : "cpe:/a:redhat:openstack:16.2::el8", "package" : "rhosp-rhel8/osp-director-downloader:1.3.0-11" }, { "product_name" : "Red Hat OpenStack Platform 16.2", "release_date" : "2023-10-19T00:00:00Z", "advisory" : "RHSA-2023:5935", "cpe" : "cpe:/a:redhat:openstack:16.2::el8", "package" : "rhosp-rhel8/osp-director-operator:1.3.0-9" }, { "product_name" : "Red Hat OpenStack Platform 16.2", "release_date" : "2023-10-19T00:00:00Z", "advisory" : "RHSA-2023:5935", "cpe" : "cpe:/a:redhat:openstack:16.2::el8", "package" : "rhosp-rhel8/osp-director-operator-bundle:1.3.0-19" }, { "product_name" : "RHODF-4.15-RHEL-9", "release_date" : "2024-03-19T00:00:00Z", "advisory" : "RHSA-2024:1383", "cpe" : "cpe:/a:redhat:openshift_data_foundation:4.15::el9", "package" : "odf4/cephcsi-rhel9:v4.15.0-37" }, { "product_name" : "RODOO-1.0-RHEL-8", "release_date" : "2023-10-26T00:00:00Z", "advisory" : "RHSA-2023:5947", "cpe" : "cpe:/a:redhat:run_once_duration_override_operator:1.0::el8", "package" : "run-once-duration-override-operator/run-once-duration-override-rhel8:v1.0-30" }, { "product_name" : "STF-1.5-RHEL-8", "release_date" : "2023-10-20T00:00:00Z", "advisory" : "RHSA-2023:5976", "cpe" : "cpe:/a:redhat:stf:1.5::el8", "package" : "stf/prometheus-webhook-snmp-rhel8:1.5.2-8" }, { "product_name" : "STF-1.5-RHEL-8", "release_date" : "2023-10-20T00:00:00Z", "advisory" : "RHSA-2023:5976", "cpe" : "cpe:/a:redhat:stf:1.5::el8", "package" : "stf/service-telemetry-operator-bundle:1.5.1697612918-1" }, { "product_name" : "STF-1.5-RHEL-8", "release_date" : "2023-10-20T00:00:00Z", "advisory" : "RHSA-2023:5976", "cpe" : "cpe:/a:redhat:stf:1.5::el8", "package" : "stf/service-telemetry-rhel8-operator:1.5.1-8" }, { "product_name" : "STF-1.5-RHEL-8", "release_date" : "2023-10-20T00:00:00Z", "advisory" : "RHSA-2023:5976", "cpe" : "cpe:/a:redhat:stf:1.5::el8", "package" : "stf/sg-bridge-rhel8:1.5.0-18" }, { "product_name" : "STF-1.5-RHEL-8", "release_date" : "2023-10-20T00:00:00Z", "advisory" : "RHSA-2023:5976", "cpe" : "cpe:/a:redhat:stf:1.5::el8", "package" : "stf/sg-core-rhel8:5.1.1-8" }, { "product_name" : "STF-1.5-RHEL-8", "release_date" : "2023-10-20T00:00:00Z", "advisory" : "RHSA-2023:5976", "cpe" : "cpe:/a:redhat:stf:1.5::el8", "package" : "stf/smart-gateway-operator-bundle:5.0.1697612918-1" }, { "product_name" : "STF-1.5-RHEL-8", "release_date" : "2023-10-20T00:00:00Z", "advisory" : "RHSA-2023:5976", "cpe" : "cpe:/a:redhat:stf:1.5::el8", "package" : "stf/smart-gateway-rhel8-operator:5.0.1-9" } ], "package_state" : [ { "product_name" : "Cryostat 2", "fix_state" : "Not affected", "package_name" : "cryostat-tech-preview/cryostat-rhel8-operator", "cpe" : "cpe:/a:redhat:cryostat:2" }, { "product_name" : "Logging Subsystem for Red Hat OpenShift", "fix_state" : "Not affected", "package_name" : "openshift-logging/logging-loki-rhel8", "cpe" : "cpe:/a:redhat:logging:5" }, { "product_name" : "Migration Toolkit for Virtualization", "fix_state" : "Affected", "package_name" : "migration-toolkit-virtualization/mtv-rhv-populator-rhel8", "cpe" : "cpe:/a:redhat:migration_toolkit_virtualization:2" }, { "product_name" : "Network Observability Operator", "fix_state" : "Affected", "package_name" : "network-observability/network-observability-rhel9-operator", "cpe" : "cpe:/a:redhat:network_observ_optr:1" }, { "product_name" : "OpenShift Developer Tools and Services", "fix_state" : "Affected", "package_name" : "ocp-tools-4/jenkins-rhel8", "cpe" : "cpe:/a:redhat:ocp_tools" }, { "product_name" : "OpenShift Serverless", "fix_state" : "Affected", "package_name" : "openshift-serverless-1/client-kn-rhel8", "cpe" : "cpe:/a:redhat:serverless:1" }, { "product_name" : "OpenShift Service Mesh 2", "fix_state" : "Affected", "package_name" : "openshift-golang-builder-container", "cpe" : "cpe:/a:redhat:service_mesh:2" }, { "product_name" : "Red Hat 3scale API Management Platform 2", "fix_state" : "Affected", "package_name" : "3scale-operator-container", "cpe" : "cpe:/a:redhat:red_hat_3scale_amp:2" }, { "product_name" : "Red Hat Advanced Cluster Management for Kubernetes 2", "fix_state" : "Not affected", "package_name" : "rhacm2/volsync-mover-rclone-rhel8", "cpe" : "cpe:/a:redhat:acm:2" }, { "product_name" : "Red Hat build of Apicurio Registry 2", "fix_state" : "Will not fix", "package_name" : "integration-service-registry-operator-container", "cpe" : "cpe:/a:redhat:service_registry:2" }, { "product_name" : "Red Hat Ceph Storage 3", "fix_state" : "Out of support scope", "package_name" : "golang", "cpe" : "cpe:/a:redhat:ceph_storage:3" }, { "product_name" : "Red Hat OpenShift Container Platform 4", "fix_state" : "Affected", "package_name" : "openshift-golang-builder-container", "cpe" : "cpe:/a:redhat:openshift:4" }, { "product_name" : "Red Hat OpenShift Data Science (RHODS)", "fix_state" : "Will not fix", "package_name" : "rhods/odh-mm-rest-proxy-rhel8", "cpe" : "cpe:/a:redhat:openshift_data_science" }, { "product_name" : "Red Hat OpenShift Dev Spaces", "fix_state" : "Affected", "package_name" : "devspaces/udi-rhel8", "cpe" : "cpe:/a:redhat:openshift_devspaces:3" }, { "product_name" : "Red Hat OpenShift distributed tracing 2", "fix_state" : "Affected", "package_name" : "rhosdt/jaeger-agent-rhel8", "cpe" : "cpe:/a:redhat:openshift_distributed_tracing:2" }, { "product_name" : "Red Hat OpenShift Virtualization 4", "fix_state" : "Affected", "package_name" : "openshift-golang-builder-container", "cpe" : "cpe:/a:redhat:container_native_virtualization:4" }, { "product_name" : "Red Hat OpenStack Platform 18.0", "fix_state" : "Affected", "package_name" : "openstack-baremetal-image-downloader-container", "cpe" : "cpe:/a:redhat:openstack:18.0" }, { "product_name" : "Red Hat Storage 3", "fix_state" : "Will not fix", "package_name" : "golang", "cpe" : "cpe:/a:redhat:storage:3" }, { "product_name" : "Red Hat Storage 3", "fix_state" : "Will not fix", "package_name" : "go-toolset-7-golang", "cpe" : "cpe:/a:redhat:storage:3" }, { "product_name" : "Red Hat Web Terminal", "fix_state" : "Fix deferred", "package_name" : "web-terminal/web-terminal-rhel9-operator", "cpe" : "cpe:/a:redhat:webterminal:1" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2023-24532\nhttps://nvd.nist.gov/vuln/detail/CVE-2023-24532\nhttps://go.dev/cl/471255\nhttps://go.dev/issue/58647\nhttps://groups.google.com/g/golang-announce/c/3-TpUx48iQY\nhttps://pkg.go.dev/vuln/GO-2023-1621" ], "name" : "CVE-2023-24532", "csaw" : false }