PT-2022-7693 · Google+7 · Go+7

Published

2022-02-11

·

Updated

2024-12-03

·

CVE-2022-23806

CVSS v2.0

9.4

Critical

VectorAV:N/AC:L/Au:N/C:N/I:C/A:C
Name of the Vulnerable Software and Affected Versions Go versions prior to 1.16.14 Go versions 1.17.x prior to 1.17.7
Description The issue is related to the Curve.IsOnCurve component in the Golang programming language, which is associated with incorrect checking of the return value of a method or function. This can allow a remote attacker to impact the availability and integrity of a resource. Specifically, some big.Int values that are not valid field elements, such as negative or overflowing values, might cause Curve.IsOnCurve to incorrectly return true. Operating on those values may cause a panic or an invalid curve operation.
Recommendations For Go versions prior to 1.16.14, update to version 1.16.14 or later. For Go versions 1.17.x prior to 1.17.7, update to version 1.17.7 or later. As a temporary workaround, consider adding additional checks for valid field elements before calling the Curve.IsOnCurve function to minimize the risk of exploitation.

Fix

Unchecked Return Value

Found an issue in the description? Have something to add? Feel free to write us 👾
dbugs@ptsecurity.com

Weakness Enumeration

CWE-252

Related Identifiers

ALSA-2022:1819
ALT-PU-2022-1265
ALT-PU-2022-1283
ALT-PU-2022-1435
ALT-PU-2022-2873
AZL-79100
AZL-8524
BDU:2024-10793
BIT-GOLANG-2022-23806
CESA-2022_1819
CVE-2022-23806
DLA-2985-1
DLA-2986-1
DLA-3395-1
DLA-3395-2
GO-2021-0319
MGASA-2022-0091
OESA-2022-1585
OPENSUSE-SU-2022:0723-1
OPENSUSE-SU-2022:0724-1
OPENSUSE-SU-2022_0723-1
OPENSUSE-SU-2022_0724-1
OPENSUSE-SU-2024:11843-1
OPENSUSE-SU-2024:11844-1
RHSA-2022:1819
RHSA-2022:4860
RHSA-2022:5004
RHSA-2022:5068
RHSA-2022:5729
RHSA-2022:6094
RHSA-2022_1819
RLSA-2022:1819
SUSE-SU-2022:0723-1
SUSE-SU-2022:0724-1
SUSE-SU-2023:0600-1
SUSE-SU-2023:0601-1
SUSE-SU-2023:0602-1
SUSE-SU-2023:0603-1

Affected Products

Alt Linux
Almalinux
Centos
Go
Red Hat
Red Os
Rocky Linux
Suse