Etcd: Golang CVE-2019-6486

Created on 29 Jan 2019  路  7Comments  路  Source: etcd-io/etcd

Hi All,

I'm just opening this, as upstream golang 1.11.5/1.10.8 was released with a fix for cve CVE-2019-6486, which I believe affects etcd.

https://groups.google.com/forum/m/#!topic/golang-announce/mVeX35iXuSw

This DoS vulnerability in the crypto/elliptic implementations of the P-521 and P-384 elliptic curves may let an attacker craft inputs that consume excessive amounts of CPU.

These inputs might be delivered via TLS handshakes, X.509 certificates, JWT tokens, ECDH shares or ECDSA signatures. In some cases, if an ECDH private key is reused more than once, the attack can also lead to key recovery.

The issue is CVE-2019-6486 and Go issue golang.org/issue/29903. See the Go issue for more details.

aresecurity
Source
picture knisbet

All 7 comments

@knisbet thanks for the report

hexfusion picture hexfusion on 30 Jan 2019

@hexfusion @jpbetz We need a patch release with the new Go runtime.

gyuho picture gyuho on 31 Jan 2019
👀1 👍1

I will work on scheduling for next week, this should only affect release-3.3 so Joe is off the hook.

hexfusion picture hexfusion on 31 Jan 2019

@hexfusion That's convenient! Ping me if you need any help.

jpbetz picture jpbetz on 1 Feb 2019
🎉1

@hexfusion @jpbetz We only need v3.3 patch release with 1.10.8.
@hexfusion will help us with the signing.

gyuho picture gyuho on 1 Feb 2019

Released v3.3.12 with Go 1.10.8.

https://github.com/etcd-io/etcd/releases/tag/v3.3.12

gyuho picture gyuho on 7 Feb 2019

Signing will be completed within the hour

hexfusion picture hexfusion on 7 Feb 2019
Was this page helpful?
0 / 5 - 0 ratings

Related issues

olalonde picture olalonde  路  4Comments
r007m4n picture r007m4n  路  3Comments
gek0 picture gek0  路  3Comments
WanLinghao picture WanLinghao  路  4Comments
primeroz picture primeroz  路  3Comments