CVE-2022-41724

Name of the Vulnerable Software and Affected Versions crypto/tls versions prior to the fixed version

Description The issue is related to large handshake records that may cause panics in crypto/tls. Both clients and servers may send large TLS handshake records, which can cause servers and clients to panic when attempting to construct responses. This affects all TLS 1.3 clients, TLS 1.2 clients that explicitly enable session resumption by setting Config.ClientSessionCache to a non-nil value, and TLS 1.3 servers that request client certificates by setting Config.ClientAuth to a value greater than or equal to RequestClientCert.

Recommendations As a temporary workaround, consider disabling the Config.ClientSessionCache for TLS 1.2 clients and restricting the use of Config.ClientAuth for TLS 1.3 servers until a patch is available. For TLS 1.3 clients, consider implementing a handshake record size limit to prevent large records from being sent. For TLS 1.2 clients with session resumption enabled, consider disabling session resumption until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.