PT-2022-7290 · Go+10 · Go+10
Nervuri
·
Published
2022-05-10
·
Updated
2026-03-06
·
CVE-2022-30629
CVSS v3.1
3.1
Low
| Vector | AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N |
Name of the Vulnerable Software and Affected Versions
Go versions prior to 1.17.11
Go versions prior to 1.18.3
Description
The issue is related to the use of non-random values for
ticket age add in session tickets in the crypto/tls package. This allows an attacker that can observe TLS handshakes to correlate successive connections by comparing ticket ages during session resumption, potentially leading to unauthorized access to session identifiers. An attacker can exploit this to correlate a resumed TLS session with a previous connection.Recommendations
For Go versions prior to 1.17.11, update to version 1.17.11 or later.
For Go versions prior to 1.18.3, update to version 1.18.3 or later.
As a temporary workaround, consider restricting access to the
crypto/tls package until a patch is available.Exploit
Fix
Use of Insufficiently Random Values
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Alt Linux
Almalinux
Centos
Debian
Go
Linuxmint
Red Hat
Red Os
Rocky Linux
Suse
Ubuntu