CVE-2018-16875

The crypto/x509 package of Go before 1.10.6 and 1.11.x before 1.11.3 does not limit the amount of work performed for each chain verification, which might allow attackers to craft pathological inputs leading to a CPU denial of service. Go TLS servers accepting client certificates and TLS clients are affected.

Weakness

The product does not validate, or incorrectly validates, a certificate.

Affected Software

Name	Vendor	Start Version	End Version
Go	Golang	*	1.10.6 (excluding)
Go	Golang	1.11.0 (including)	1.11.3 (excluding)
Golang	Ubuntu	trusty	*
Golang-1.10	Ubuntu	bionic	*
Golang-1.10	Ubuntu	cosmic	*
Golang-1.10	Ubuntu	disco	*
Golang-1.10	Ubuntu	esm-infra-legacy/trusty	*
Golang-1.10	Ubuntu	esm-infra/bionic	*
Golang-1.10	Ubuntu	trusty	*
Golang-1.10	Ubuntu	trusty/esm	*
Golang-1.10	Ubuntu	upstream	*
Golang-1.10	Ubuntu	xenial	*
Golang-1.11	Ubuntu	upstream	*
Golang-1.6	Ubuntu	trusty	*
Golang-1.6	Ubuntu	xenial	*
Golang-1.7	Ubuntu	cosmic	*
Golang-1.8	Ubuntu	bionic	*
Golang-1.8	Ubuntu	cosmic	*
Golang-1.9	Ubuntu	bionic	*
Golang-1.9	Ubuntu	cosmic	*

Potential Mitigations

https://cwe.mitre.org/data/definitions/459.html
https://cwe.mitre.org/data/definitions/475.html

References

http://lists.opensuse.org/opensuse-security-announce/2019-03/msg00044.html
http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00060.html
http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00011.html
http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00015.html
http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00010.html
http://www.securityfocus.com/bid/106230
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-16875
https://groups.google.com/forum/?pli=1#%21topic/golang-announce/Kw31K8G7Fi0
https://security.gentoo.org/glsa/201812-09

NVD	https://nvd.nist.gov/vuln/detail/CVE-2018-16875
CWE	https://cwe.mitre.org/data/definitions/295.html

Improper Certificate Validation

Weakness

Affected Software

Potential Mitigations

Related Attack Patterns

References