CVE-2019-6486 - log back

CVE-2019-6486 created at 25 Sep 2019 19:31:40
Severity
+ Medium
Remote
+ Remote
Type
+ Private key recovery
Description
+ Go before versions 1.10.8 and 1.11.5 has a vulnerability in the crypto/elliptic implementations of the P-521 and P-384 elliptic curves. A remote attacker can exploit this by crafting inputs that consume excessive amounts of CPU. These inputs might be delivered via TLS handshakes, X.509 certificates, JWT tokens, ECDH shares or ECDSA signatures. In some cases, if an ECDH private key is reused more than once, the attack can also lead to key recovery.
References
+ https://groups.google.com/forum/m/#!topic/golang-announce/mVeX35iXuSw
+ https://github.com/golang/go/issues/29903
+ https://github.com/golang/go/commit/42b42f71
Notes