Fluid Attacks Database

Description

Non-random values for ticket_age_add in session tickets in crypto/tls before Go 1.17.11 and Go 1.18.3 allow an attacker that can observe TLS handshakes to correlate successive connections by comparing ticket ages during session resumption.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
go	stdlib	>=0 <1.17.11	1.17.11
debian 11	golang-1.15	=1.15.15-1 \|\| =1.15.15-1~deb11u1 \|\| =1.15.15-1~deb11u2 \|\| =1.15.15-1~deb11u3 \|\| =1.15.15-1~deb11u4 \|\| =1.15.15-2 \|\| =1.15.15-3 \|\| =1.15.15-4 \|\| =1.15.15-5 \|\| =1.15.9-6	-
rpm rhel9	golang	<0:1.17.12-1.el9_0	0:1.17.12-1.el9_0
rpm rhel8	grafana-pcp	-	-
rpm rhel8	toolbox	-	-
rpm rhel7	skopeo	-	-
rpm rhel7	buildah	-	-
rpm rhel8	conmon	-	-
rpm rhel8	buildah	-	-
rpm rhel9	buildah	<1:1.29.1-1.el9	1:1.29.1-1.el9

1-10 of 28

Aliases

1. CVE-2022-306292. NVD-2022-306293. OSV-GO-2022-05314. OSV-2022-306295. OSV-DEBIAN-2022-306296. GCVE-2022-306297. SECURITY-TRACKER-CVE-2022-30629

References

1. https://go.dev/cl/4059942. https://go.googlesource.com/go/+/fe4de36198794c447fbd9d7cc2d7199a506c76a53. https://go.dev/issue/528144. https://groups.google.com/g/golang-announce/c/TzIC9-t8Ytg/m/IWz5T6x7AAAJ

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.