cnvd - cnvd-2017-15401

cnvd-2017-15401

Vulnerability from cnvd

Title: Google Go存在漏洞

Description:

Google Go是美国谷歌（Google）公司的一种针对多处理器系统应用程序的编程进行了优化的编程语言。

Google Go 1.7.6之前的版本和1.8.2之前的1.8.x版本中的curve P-256实现过程存在安全漏洞。攻击者可利用该漏洞实施秘钥恢复攻击。

Severity: 中

Patch Name: Google Go存在漏洞的补丁

Patch Description:

Google Go是美国谷歌（Google）公司的一种针对多处理器系统应用程序的编程进行了优化的编程语言。

Google Go 1.7.6之前的版本和1.8.2之前的1.8.x版本中的curve P-256实现过程存在安全漏洞。攻击者可利用该漏洞实施秘钥恢复攻击。目前，供应商发布了安全公告及相关补丁信息，修复了此漏洞。

Formal description:

目前厂商已发布升级补丁以修复漏洞，补丁获取链接： https://github.com/golang/go/commit/9294fa2749ffee7edbbb817a0ef9fe633136fa9c

Reference: http://lists.opensuse.org/opensuse-updates/2017-06/msg00079.html

Impacted products

Name
['Google GO <1.7.6', 'Google GO 1.8.*，<1.8.2']

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2017-8932",
      "cveUrl": "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8932"
    }
  },
  "description": "Google Go\u662f\u7f8e\u56fd\u8c37\u6b4c\uff08Google\uff09\u516c\u53f8\u7684\u4e00\u79cd\u9488\u5bf9\u591a\u5904\u7406\u5668\u7cfb\u7edf\u5e94\u7528\u7a0b\u5e8f\u7684\u7f16\u7a0b\u8fdb\u884c\u4e86\u4f18\u5316\u7684\u7f16\u7a0b\u8bed\u8a00\u3002\r\n\r\nGoogle Go 1.7.6\u4e4b\u524d\u7684\u7248\u672c\u548c1.8.2\u4e4b\u524d\u76841.8.x\u7248\u672c\u4e2d\u7684curve P-256\u5b9e\u73b0\u8fc7\u7a0b\u5b58\u5728\u5b89\u5168\u6f0f\u6d1e\u3002\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u5b9e\u65bd\u79d8\u94a5\u6062\u590d\u653b\u51fb\u3002",
  "discovererName": "Brad Fitzpatrick \u003cbradfitz@golang.org\u003e",
  "formalWay": "\u76ee\u524d\u5382\u5546\u5df2\u53d1\u5e03\u5347\u7ea7\u8865\u4e01\u4ee5\u4fee\u590d\u6f0f\u6d1e\uff0c\u8865\u4e01\u83b7\u53d6\u94fe\u63a5\uff1a\r\nhttps://github.com/golang/go/commit/9294fa2749ffee7edbbb817a0ef9fe633136fa9c",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2017-15401",
  "openTime": "2017-07-19",
  "patchDescription": "Google Go\u662f\u7f8e\u56fd\u8c37\u6b4c\uff08Google\uff09\u516c\u53f8\u7684\u4e00\u79cd\u9488\u5bf9\u591a\u5904\u7406\u5668\u7cfb\u7edf\u5e94\u7528\u7a0b\u5e8f\u7684\u7f16\u7a0b\u8fdb\u884c\u4e86\u4f18\u5316\u7684\u7f16\u7a0b\u8bed\u8a00\u3002\r\n\r\nGoogle Go 1.7.6\u4e4b\u524d\u7684\u7248\u672c\u548c1.8.2\u4e4b\u524d\u76841.8.x\u7248\u672c\u4e2d\u7684curve P-256\u5b9e\u73b0\u8fc7\u7a0b\u5b58\u5728\u5b89\u5168\u6f0f\u6d1e\u3002\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u5b9e\u65bd\u79d8\u94a5\u6062\u590d\u653b\u51fb\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "Google Go\u5b58\u5728\u6f0f\u6d1e\u7684\u8865\u4e01",
  "products": {
    "product": [
      "Google GO \u003c1.7.6",
      "Google GO  1.8.*\uff0c\u003c1.8.2"
    ]
  },
  "referenceLink": "http://lists.opensuse.org/opensuse-updates/2017-06/msg00079.html",
  "serverity": "\u4e2d",
  "submitTime": "2017-07-10",
  "title": "Google Go\u5b58\u5728\u6f0f\u6d1e"
}

CVE-2017-8932 (GCVE-0-2017-8932)

Vulnerability from cvelistv5

Published

2017-07-06 16:00

Modified

2024-08-05 16:48

Severity ?

CWE

Summary

A bug in the standard library ScalarMult implementation of curve P-256 for amd64 architectures in Go before 1.7.6 and 1.8.x before 1.8.2 causes incorrect results to be generated for specific input points. An adaptive attack can be mounted to progressively extract the scalar input to ScalarMult by submitting crafted points and observing failures to the derive correct output. This leads to a full key recovery attack against static ECDH, as used in popular JWT libraries.

References

▼	URL	Tags
	https://groups.google.com/d/msg/golang-announce/B5ww0iFt1_Q/TgUFJV14BgAJ	mailing-list, x_refsource_MLIST
	https://github.com/golang/go/commit/9294fa2749ffee7edbbb817a0ef9fe633136fa9c	x_refsource_CONFIRM
	https://access.redhat.com/errata/RHSA-2017:1859	vendor-advisory, x_refsource_REDHAT
	http://lists.opensuse.org/opensuse-updates/2017-06/msg00080.html	vendor-advisory, x_refsource_SUSE
	http://lists.opensuse.org/opensuse-updates/2017-06/msg00079.html	vendor-advisory, x_refsource_SUSE
	https://bugzilla.redhat.com/show_bug.cgi?id=1455191	x_refsource_MISC
	https://github.com/golang/go/issues/20040	x_refsource_CONFIRM
	https://go-review.googlesource.com/c/41070/	x_refsource_CONFIRM
	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LZH4T47ROLZ6YEZBDVXVS2KISTDMXAPS/	vendor-advisory, x_refsource_FEDORA

Impacted products

	Vendor	Product	Version
	n/a	n/a	Version: n/a

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-05T16:48:22.902Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "[golang-announce] 20170523  [security] Go 1.7.6 and Go 1.8.2 are released",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "https://groups.google.com/d/msg/golang-announce/B5ww0iFt1_Q/TgUFJV14BgAJ"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://github.com/golang/go/commit/9294fa2749ffee7edbbb817a0ef9fe633136fa9c"
          },
          {
            "name": "RHSA-2017:1859",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2017:1859"
          },
          {
            "name": "openSUSE-SU-2017:1650",
            "tags": [
              "vendor-advisory",
              "x_refsource_SUSE",
              "x_transferred"
            ],
            "url": "http://lists.opensuse.org/opensuse-updates/2017-06/msg00080.html"
          },
          {
            "name": "openSUSE-SU-2017:1649",
            "tags": [
              "vendor-advisory",
              "x_refsource_SUSE",
              "x_transferred"
            ],
            "url": "http://lists.opensuse.org/opensuse-updates/2017-06/msg00079.html"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1455191"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://github.com/golang/go/issues/20040"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://go-review.googlesource.com/c/41070/"
          },
          {
            "name": "FEDORA-2017-278f46fcd6",
            "tags": [
              "vendor-advisory",
              "x_refsource_FEDORA",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LZH4T47ROLZ6YEZBDVXVS2KISTDMXAPS/"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "datePublic": "2017-05-23T00:00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "A bug in the standard library ScalarMult implementation of curve P-256 for amd64 architectures in Go before 1.7.6 and 1.8.x before 1.8.2 causes incorrect results to be generated for specific input points. An adaptive attack can be mounted to progressively extract the scalar input to ScalarMult by submitting crafted points and observing failures to the derive correct output. This leads to a full key recovery attack against static ECDH, as used in popular JWT libraries."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2018-01-04T19:57:01",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "name": "[golang-announce] 20170523  [security] Go 1.7.6 and Go 1.8.2 are released",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "https://groups.google.com/d/msg/golang-announce/B5ww0iFt1_Q/TgUFJV14BgAJ"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/golang/go/commit/9294fa2749ffee7edbbb817a0ef9fe633136fa9c"
        },
        {
          "name": "RHSA-2017:1859",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2017:1859"
        },
        {
          "name": "openSUSE-SU-2017:1650",
          "tags": [
            "vendor-advisory",
            "x_refsource_SUSE"
          ],
          "url": "http://lists.opensuse.org/opensuse-updates/2017-06/msg00080.html"
        },
        {
          "name": "openSUSE-SU-2017:1649",
          "tags": [
            "vendor-advisory",
            "x_refsource_SUSE"
          ],
          "url": "http://lists.opensuse.org/opensuse-updates/2017-06/msg00079.html"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1455191"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/golang/go/issues/20040"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://go-review.googlesource.com/c/41070/"
        },
        {
          "name": "FEDORA-2017-278f46fcd6",
          "tags": [
            "vendor-advisory",
            "x_refsource_FEDORA"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LZH4T47ROLZ6YEZBDVXVS2KISTDMXAPS/"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "cve@mitre.org",
          "ID": "CVE-2017-8932",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "n/a",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "n/a"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "A bug in the standard library ScalarMult implementation of curve P-256 for amd64 architectures in Go before 1.7.6 and 1.8.x before 1.8.2 causes incorrect results to be generated for specific input points. An adaptive attack can be mounted to progressively extract the scalar input to ScalarMult by submitting crafted points and observing failures to the derive correct output. This leads to a full key recovery attack against static ECDH, as used in popular JWT libraries."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "n/a"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "[golang-announce] 20170523  [security] Go 1.7.6 and Go 1.8.2 are released",
              "refsource": "MLIST",
              "url": "https://groups.google.com/d/msg/golang-announce/B5ww0iFt1_Q/TgUFJV14BgAJ"
            },
            {
              "name": "https://github.com/golang/go/commit/9294fa2749ffee7edbbb817a0ef9fe633136fa9c",
              "refsource": "CONFIRM",
              "url": "https://github.com/golang/go/commit/9294fa2749ffee7edbbb817a0ef9fe633136fa9c"
            },
            {
              "name": "RHSA-2017:1859",
              "refsource": "REDHAT",
              "url": "https://access.redhat.com/errata/RHSA-2017:1859"
            },
            {
              "name": "openSUSE-SU-2017:1650",
              "refsource": "SUSE",
              "url": "http://lists.opensuse.org/opensuse-updates/2017-06/msg00080.html"
            },
            {
              "name": "openSUSE-SU-2017:1649",
              "refsource": "SUSE",
              "url": "http://lists.opensuse.org/opensuse-updates/2017-06/msg00079.html"
            },
            {
              "name": "https://bugzilla.redhat.com/show_bug.cgi?id=1455191",
              "refsource": "MISC",
              "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1455191"
            },
            {
              "name": "https://github.com/golang/go/issues/20040",
              "refsource": "CONFIRM",
              "url": "https://github.com/golang/go/issues/20040"
            },
            {
              "name": "https://go-review.googlesource.com/c/41070/",
              "refsource": "CONFIRM",
              "url": "https://go-review.googlesource.com/c/41070/"
            },
            {
              "name": "FEDORA-2017-278f46fcd6",
              "refsource": "FEDORA",
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LZH4T47ROLZ6YEZBDVXVS2KISTDMXAPS/"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2017-8932",
    "datePublished": "2017-07-06T16:00:00",
    "dateReserved": "2017-05-15T00:00:00",
    "dateUpdated": "2024-08-05T16:48:22.902Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.

Action not permitted