PT-2018-3480 · Google+2 · Go+2
Published
2018-09-07
·
Updated
2025-11-28
·
CVE-2018-16875
CVSS v2.0
7.8
High
| Vector | AV:N/AC:L/Au:N/C:N/I:N/A:C |
Name of the Vulnerable Software and Affected Versions:
Go versions prior to 1.10.6
Go versions 1.11.x prior to 1.11.3
Description:
The crypto/x509 package of Go does not limit the amount of work performed for each chain verification, which might allow attackers to craft pathological inputs leading to a CPU denial of service. Go TLS servers accepting client certificates and TLS clients are affected.
Recommendations:
For Go versions prior to 1.10.6, update to version 1.10.6 or later to resolve the issue.
For Go versions 1.11.x prior to 1.11.3, update to version 1.11.3 or later to resolve the issue.
As a temporary workaround, consider restricting the amount of work performed for each chain verification to prevent CPU denial of service attacks.
Exploit
Fix
DoS
RCE
Improper Certificate Validation
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Alt Linux
Go
Suse