CVE-2021-3114 - log back

CVE-2021-3114 edited at 20 Jan 2021 09:42:15
Description
- The P224() Curve implementation can in rare circumstances generate incorrect outputs, including returning invalid points from ScalarMult. The crypto/x509 and golang.org/x/crypto/ocsp (but not crypto/tls) packages support P-224 ECDSA keys, but they are not supported by publicly trusted certificate authorities. No other standard library or golang.org/x/crypto package supports or uses the P-224 curve.
+ A security issue was found in Go and fixed in versions 1.15.7 and 1.14.14. The P224() Curve implementation can in rare circumstances generate incorrect outputs, including returning invalid points from ScalarMult. The crypto/x509 and golang.org/x/crypto/ocsp (but not crypto/tls) packages support P-224 ECDSA keys, but they are not supported by publicly trusted certificate authorities. No other standard library or golang.org/x/crypto package supports or uses the P-224 curve.
References
+ https://groups.google.com/g/golang-announce/c/mperVMGa98w/m/yo5W5wnvAAAJ
https://github.com/golang/go/issues/43788
https://github.com/golang/go/commit/5c8fd727c41e31273923c32b33d4f25855f4e123
CVE-2021-3114 edited at 20 Jan 2021 09:38:16
Severity
- Unknown
+ Low
Remote
- Unknown
+ Local
Type
- Unknown
+ Incorrect calculation
Description
+ The P224() Curve implementation can in rare circumstances generate incorrect outputs, including returning invalid points from ScalarMult. The crypto/x509 and golang.org/x/crypto/ocsp (but not crypto/tls) packages support P-224 ECDSA keys, but they are not supported by publicly trusted certificate authorities. No other standard library or golang.org/x/crypto package supports or uses the P-224 curve.
References
+ https://github.com/golang/go/issues/43788
+ https://github.com/golang/go/commit/5c8fd727c41e31273923c32b33d4f25855f4e123
Notes
CVE-2021-3114 created at 20 Jan 2021 09:34:37