{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-45287", "assignerOrgId": "1bb62c36-49e3-4200-9d77-64a1400537cc", "state": "PUBLISHED", "assignerShortName": "Go", "dateReserved": "2023-10-06T17:06:26.221Z", "datePublished": "2023-12-05T16:18:06.104Z", "dateUpdated": "2025-02-13T17:14:00.588Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc", "shortName": "Go", "dateUpdated": "2024-01-12T14:06:27.569Z"}, "title": "Before Go 1.20, the RSA based key exchange methods in crypto/tls may exhibit a timing side channel", "descriptions": [{"lang": "en", "value": "Before Go 1.20, the RSA based TLS key exchanges used the math/big library, which is not constant time. RSA blinding was applied to prevent timing attacks, but analysis shows this may not have been fully effective. In particular it appears as if the removal of PKCS#1 padding may leak timing information, which in turn could be used to recover session key bits. In Go 1.20, the crypto/tls library switched to a fully constant time RSA implementation, which we do not believe exhibits any timing side channels."}], "affected": [{"vendor": "Go standard library", "product": "crypto/tls", "collectionURL": "https://pkg.go.dev", "packageName": "crypto/tls", "versions": [{"version": "0", "lessThan": "1.20.0", "status": "affected", "versionType": "semver"}], "programRoutines": [{"name": "rsaKeyAgreement.processClientKeyExchange"}, {"name": "rsaKeyAgreement.generateClientKeyExchange"}, {"name": "Conn.Handshake"}, {"name": "Conn.HandshakeContext"}, {"name": "Conn.Read"}, {"name": "Conn.Write"}, {"name": "Dial"}, {"name": "DialWithDialer"}, {"name": "Dialer.Dial"}, {"name": "Dialer.DialContext"}], "defaultStatus": "unaffected"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-208: Observable Timing Discrepancy"}]}], "references": [{"url": "https://go.dev/issue/20654"}, {"url": "https://go.dev/cl/326012/26"}, {"url": "https://groups.google.com/g/golang-announce/c/QMK8IQALDvA"}, {"url": "https://people.redhat.com/~hkario/marvin/"}, {"url": "https://pkg.go.dev/vuln/GO-2023-2375"}, {"url": "https://security.netapp.com/advisory/ntap-20240112-0005/"}]}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T20:21:15.309Z"}, "title": "CVE Program Container", "references": [{"url": "https://go.dev/issue/20654", "tags": ["x_transferred"]}, {"url": "https://go.dev/cl/326012/26", "tags": ["x_transferred"]}, {"url": "https://groups.google.com/g/golang-announce/c/QMK8IQALDvA", "tags": ["x_transferred"]}, {"url": "https://people.redhat.com/~hkario/marvin/", "tags": ["x_transferred"]}, {"url": "https://pkg.go.dev/vuln/GO-2023-2375", "tags": ["x_transferred"]}, {"url": "https://security.netapp.com/advisory/ntap-20240112-0005/", "tags": ["x_transferred"]}]}]}}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:golang:go:*:*:*:*:*:*:*:*", "matchCriteriaId": "A96BDB4B-F1DA-4948-8E56-8B4933BB8BC2", "versionEndExcluding": "1.20.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Before Go 1.20, the RSA based TLS key exchanges used the math/big library, which is not constant time. RSA blinding was applied to prevent timing attacks, but analysis shows this may not have been fully effective. In particular it appears as if the removal of PKCS#1 padding may leak timing information, which in turn could be used to recover session key bits. In Go 1.20, the crypto/tls library switched to a fully constant time RSA implementation, which we do not believe exhibits any timing side channels."}, {"lang": "es", "value": "Antes de Go 1.20, los intercambios de claves TLS basados en RSA utilizaban la librer\u00eda math/big, que no es un tiempo constante. Se aplic\u00f3 blinding RSA para prevenir ataques sincronizados, pero el an\u00e1lisis muestra que esto puede no haber sido completamente efectivo. En particular, parece que la eliminaci\u00f3n del relleno PKCS#1 puede filtrar informaci\u00f3n de tiempo, que a su vez podr\u00eda usarse para recuperar bits de clave de sesi\u00f3n. En Go 1.20, la librer\u00eda crypto/tls cambi\u00f3 a una implementaci\u00f3n RSA de tiempo completamente constante, que no creemos que muestre ning\u00fan canal lateral de temporizaci\u00f3n."}], "id": "CVE-2023-45287", "lastModified": "2024-11-21T08:26:42.250", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2023-12-05T17:15:08.570", "references": [{"source": "security@golang.org", "tags": ["Issue Tracking"], "url": "https://go.dev/cl/326012/26"}, {"source": "security@golang.org", "tags": ["Issue Tracking"], "url": "https://go.dev/issue/20654"}, {"source": "security@golang.org", "tags": ["Mailing List", "Release Notes"], "url": "https://groups.google.com/g/golang-announce/c/QMK8IQALDvA"}, {"source": "security@golang.org", "tags": ["Third Party Advisory"], "url": "https://people.redhat.com/~hkario/marvin/"}, {"source": "security@golang.org", "tags": ["Vendor Advisory"], "url": "https://pkg.go.dev/vuln/GO-2023-2375"}, {"source": "security@golang.org", "url": "https://security.netapp.com/advisory/ntap-20240112-0005/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Issue Tracking"], "url": "https://go.dev/cl/326012/26"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Issue Tracking"], "url": "https://go.dev/issue/20654"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "Release Notes"], "url": "https://groups.google.com/g/golang-announce/c/QMK8IQALDvA"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://people.redhat.com/~hkario/marvin/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://pkg.go.dev/vuln/GO-2023-2375"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://security.netapp.com/advisory/ntap-20240112-0005/"}], "sourceIdentifier": "security@golang.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-203"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"affected_release": [{"advisory": "RHSA-2024:3316", "cpe": "cpe:/a:redhat:migration_toolkit_applications:7.0::el9", "package": "mta/mta-cli-rhel9:7.0.3-16", "product_name": "MTA-7.0-RHEL-9", "release_date": "2024-05-23T00:00:00Z"}, {"advisory": "RHSA-2024:1859", "cpe": "cpe:/a:redhat:openshift_api_data_protection:1.3::el9", "package": "oadp/oadp-velero-rhel9:1.3.1-16", "product_name": "OADP-1.3-RHEL-9", "release_date": "2024-04-16T00:00:00Z"}, {"advisory": "RHSA-2024:0281", "cpe": "cpe:/a:redhat:openshift_secondary_scheduler:1.2::el9", "package": "openshift-secondary-scheduler-operator/secondary-scheduler-operator-bundle:v1.2-19", "product_name": "OSSO-1.2-RHEL-9", "release_date": "2024-03-06T00:00:00Z"}, {"advisory": "RHSA-2024:0281", "cpe": "cpe:/a:redhat:openshift_secondary_scheduler:1.2::el9", "package": "openshift-secondary-scheduler-operator/secondary-scheduler-rhel9-operator:v1.2-26", "product_name": "OSSO-1.2-RHEL-9", "release_date": "2024-03-06T00:00:00Z"}, {"advisory": "RHSA-2024:0748", "cpe": "cpe:/a:redhat:enterprise_linux:8", "package": "container-tools:4.0-8090020240201111813.d7b6f4b7", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2024-02-08T00:00:00Z"}, {"advisory": "RHSA-2024:2988", "cpe": "cpe:/a:redhat:enterprise_linux:8", "package": "container-tools:rhel8-8100020240227110532.82888897", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2024-05-22T00:00:00Z"}, {"advisory": "RHSA-2024:2180", "cpe": "cpe:/a:redhat:enterprise_linux:9", "package": "runc-4:1.1.12-2.el9", "product_name": "Red Hat Enterprise Linux 9", "release_date": "2024-04-30T00:00:00Z"}, {"advisory": "RHSA-2024:2193", "cpe": "cpe:/a:redhat:enterprise_linux:9", "package": "podman-2:4.9.4-0.1.el9", "product_name": "Red Hat Enterprise Linux 9", "release_date": "2024-04-30T00:00:00Z"}, {"advisory": "RHSA-2024:2239", "cpe": "cpe:/a:redhat:enterprise_linux:9", "package": "skopeo-2:1.14.3-0.1.el9", "product_name": "Red Hat Enterprise Linux 9", "release_date": "2024-04-30T00:00:00Z"}, {"advisory": "RHSA-2024:2245", "cpe": "cpe:/a:redhat:enterprise_linux:9", "package": "buildah-2:1.33.6-2.el9", "product_name": "Red Hat Enterprise Linux 9", "release_date": "2024-04-30T00:00:00Z"}, {"advisory": "RHSA-2024:2272", "cpe": "cpe:/a:redhat:enterprise_linux:9", "package": "containernetworking-plugins-1:1.4.0-2.el9_4", "product_name": "Red Hat Enterprise Linux 9", "release_date": "2024-04-30T00:00:00Z"}, {"advisory": "RHSA-2024:4429", "cpe": "cpe:/a:redhat:rhel_eus:9.2", "package": "containernetworking-plugins-1:1.2.0-3.el9_2", "product_name": "Red Hat Enterprise Linux 9.2 Extended Update Support", "release_date": "2024-07-09T00:00:00Z"}, {"advisory": "RHSA-2023:7201", "cpe": "cpe:/a:redhat:openshift:4.15::el8", "package": "buildah-1:1.29.1-20.2.rhaos4.15.el9", "product_name": "Red Hat OpenShift Container Platform 4.15", "release_date": "2024-02-27T00:00:00Z"}, {"advisory": "RHSA-2023:7201", "cpe": "cpe:/a:redhat:openshift:4.15::el8", "package": "butane-0:0.20.0-1.rhaos4.15.el8", "product_name": "Red Hat OpenShift Container Platform 4.15", "release_date": "2024-02-27T00:00:00Z"}, {"advisory": "RHSA-2023:7201", "cpe": "cpe:/a:redhat:openshift:4.15::el8", "package": "containernetworking-plugins-1:1.4.0-1.1.rhaos4.15.el8", "product_name": "Red Hat OpenShift Container Platform 4.15", "release_date": "2024-02-27T00:00:00Z"}, {"advisory": "RHSA-2023:7201", "cpe": "cpe:/a:redhat:openshift:4.15::el8", "package": "openshift-0:4.15.0-202402142009.p0.g6216ea1.assembly.stream.el9", "product_name": "Red Hat OpenShift Container Platform 4.15", "release_date": "2024-02-27T00:00:00Z"}, {"advisory": "RHSA-2023:7201", "cpe": "cpe:/a:redhat:openshift:4.15::el8", "package": "openshift-clients-0:4.15.0-202402070507.p0.g48dcf59.assembly.stream.el8", "product_name": "Red Hat OpenShift Container Platform 4.15", "release_date": "2024-02-27T00:00:00Z"}, {"advisory": "RHSA-2023:7201", "cpe": "cpe:/a:redhat:openshift:4.15::el8", "package": "podman-3:4.4.1-21.rhaos4.15.el8", "product_name": "Red Hat OpenShift Container Platform 4.15", "release_date": "2024-02-27T00:00:00Z"}, {"advisory": "RHSA-2023:7201", "cpe": "cpe:/a:redhat:openshift:4.15::el8", "package": "runc-4:1.1.12-1.rhaos4.15.el9", "product_name": "Red Hat OpenShift Container Platform 4.15", "release_date": "2024-02-27T00:00:00Z"}, {"advisory": "RHSA-2023:7201", "cpe": "cpe:/a:redhat:openshift:4.15::el8", "package": "skopeo-2:1.11.2-21.1.rhaos4.15.el9", "product_name": "Red Hat OpenShift Container Platform 4.15", "release_date": "2024-02-27T00:00:00Z"}, {"advisory": "RHSA-2023:7200", "cpe": "cpe:/a:redhat:openshift:4.15::el9", "package": "microshift-0:4.15.0-202402260721.p0.g799289b.assembly.4.15.0.el9", "product_name": "Red Hat OpenShift Container Platform 4.15", "release_date": "2024-02-27T00:00:00Z"}, {"advisory": "RHSA-2024:2767", "cpe": "cpe:/a:redhat:openstack:17.1::el8", "package": "collectd-sensubility-0:0.2.1-3.el8ost", "product_name": "Red Hat OpenStack Platform 17.1 for RHEL 8", "release_date": "2024-05-22T00:00:00Z"}, {"advisory": "RHSA-2024:2729", "cpe": "cpe:/a:redhat:openstack:17.1::el9", "package": "etcd-0:3.4.26-8.el9ost", "product_name": "Red Hat OpenStack Platform 17.1 for RHEL 9", "release_date": "2024-05-22T00:00:00Z"}, {"advisory": "RHSA-2024:2730", "cpe": "cpe:/a:redhat:openstack:17.1::el9", "package": "collectd-sensubility-0:0.2.1-3.el9ost", "product_name": "Red Hat OpenStack Platform 17.1 for RHEL 9", "release_date": "2024-05-22T00:00:00Z"}, {"advisory": "RHSA-2024:0269", "cpe": "cpe:/a:redhat:run_once_duration_override_operator:1.1::el9", "package": "run-once-duration-override-operator/run-once-duration-override-operator-bundle:v1.1-4", "product_name": "RODOO-1.1-RHEL-9", "release_date": "2024-02-28T00:00:00Z"}, {"advisory": "RHSA-2024:0269", "cpe": "cpe:/a:redhat:run_once_duration_override_operator:1.1::el9", "package": "run-once-duration-override-operator/run-once-duration-override-rhel9:v1.1-4", "product_name": "RODOO-1.1-RHEL-9", "release_date": "2024-02-28T00:00:00Z"}, {"advisory": "RHSA-2024:0269", "cpe": "cpe:/a:redhat:run_once_duration_override_operator:1.1::el9", "package": "run-once-duration-override-operator/run-once-duration-override-rhel9-operator:v1.1-5", "product_name": "RODOO-1.1-RHEL-9", "release_date": "2024-02-28T00:00:00Z"}, {"advisory": "RHSA-2024:1901", "cpe": "cpe:/a:redhat:service_interconnect:1::el9", "package": "service-interconnect/skupper-config-sync-rhel9:1.5.3-1", "product_name": "Service Interconnect 1 for RHEL 9", "release_date": "2024-04-18T00:00:00Z"}, {"advisory": "RHSA-2024:1901", "cpe": "cpe:/a:redhat:service_interconnect:1::el9", "package": "service-interconnect/skupper-controller-podman-rhel9:1.5.3-1", "product_name": "Service Interconnect 1 for RHEL 9", "release_date": "2024-04-18T00:00:00Z"}, {"advisory": "RHSA-2024:1901", "cpe": "cpe:/a:redhat:service_interconnect:1::el9", "package": "service-interconnect/skupper-flow-collector-rhel9:1.5.3-2", "product_name": "Service Interconnect 1 for RHEL 9", "release_date": "2024-04-18T00:00:00Z"}, {"advisory": "RHSA-2024:1901", "cpe": "cpe:/a:redhat:service_interconnect:1::el9", "package": "service-interconnect/skupper-operator-bundle:1.5.3-3", "product_name": "Service Interconnect 1 for RHEL 9", "release_date": "2024-04-18T00:00:00Z"}, {"advisory": "RHSA-2024:1901", "cpe": "cpe:/a:redhat:service_interconnect:1::el9", "package": "service-interconnect/skupper-router-rhel9:2.5.1-2", "product_name": "Service Interconnect 1 for RHEL 9", "release_date": "2024-04-18T00:00:00Z"}, {"advisory": "RHSA-2024:1901", "cpe": "cpe:/a:redhat:service_interconnect:1::el9", "package": "service-interconnect/skupper-service-controller-rhel9:1.5.3-1", "product_name": "Service Interconnect 1 for RHEL 9", "release_date": "2024-04-18T00:00:00Z"}, {"advisory": "RHSA-2024:1901", "cpe": "cpe:/a:redhat:service_interconnect:1::el9", "package": "service-interconnect/skupper-site-controller-rhel9:1.5.3-2", "product_name": "Service Interconnect 1 for RHEL 9", "release_date": "2024-04-18T00:00:00Z"}, {"advisory": "RHSA-2024:1078", "cpe": "cpe:/a:redhat:service_telemetry_framework:1.5::el8", "package": "stf/sg-core-rhel8:5.2.1-6", "product_name": "STF-1.5-RHEL-8", "release_date": "2024-03-05T00:00:00Z"}], "bugzilla": {"description": "golang: crypto/tls: Timing Side Channel attack in RSA based TLS key exchanges.", "id": "2253193", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2253193"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "status": "verified"}, "cwe": "CWE-208", "details": ["Before Go 1.20, the RSA based TLS key exchanges used the math/big library, which is not constant time. RSA blinding was applied to prevent timing attacks, but analysis shows this may not have been fully effective. In particular it appears as if the removal of PKCS#1 padding may leak timing information, which in turn could be used to recover session key bits. In Go 1.20, the crypto/tls library switched to a fully constant time RSA implementation, which we do not believe exhibits any timing side channels.", "A flaw was found in the Golang crypto/tls standard library. In previous versions, the package was vulnerable to a Timing Side Channel attack by observing the time it took for RSA-based TLS key exchanges, which was not constant. This flaw allows a malicious user to gather information from the environment."], "mitigation": {"lang": "en:us", "value": "No current mitigation is available for this vulnerability."}, "name": "CVE-2023-45287", "package_state": [{"cpe": "cpe:/a:redhat:cert_manager:1", "fix_state": "Will not fix", "package_name": "cert-manager/cert-manager-operator-rhel9", "product_name": "cert-manager Operator for Red Hat OpenShift"}, {"cpe": "cpe:/a:redhat:cost_management:3", "fix_state": "Not affected", "package_name": "costmanagement-metrics-operator-container", "product_name": "Cost Management Metrics Operator"}, {"cpe": "cpe:/a:redhat:cryostat:2", "fix_state": "Affected", "package_name": "cryostat-tech-preview/cryostat-rhel8-operator", "product_name": "Cryostat 2"}, {"cpe": "cpe:/a:redhat:openshift_custom_metrics_autoscaler:2", "fix_state": "Not affected", "package_name": "custom-metrics-autoscaler/custom-metrics-autoscaler-rhel8", "product_name": "Custom Metric Autoscaler operator for Red Hat Openshift"}, {"cpe": "cpe:/a:redhat:workload_availability_fence_agents_remediation", "fix_state": "Not affected", "package_name": "workload-availability/fence-agents-remediation-rhel8-operator", "product_name": "Fence Agents Remediation Operator"}, {"cpe": "cpe:/a:redhat:logging:5", "fix_state": "Not affected", "package_name": "openshift-logging/logging-loki-rhel9", "product_name": "Logging Subsystem for Red Hat OpenShift"}, {"cpe": "cpe:/a:redhat:lvms:4", "fix_state": "Affected", "package_name": "lvms4/topolvm-rhel9", "product_name": "Logical Volume Manager Storage"}, {"cpe": "cpe:/a:redhat:workload_availability_machine_deletion_remediation", "fix_state": "Not affected", "package_name": "workload-availability/machine-deletion-remediation-rhel8-operator", "product_name": "Machine Deletion Remediation Operator"}, {"cpe": "cpe:/a:redhat:migration_toolkit_applications:6", "fix_state": "Will not fix", "package_name": "mta/mta-hub-rhel8", "product_name": "Migration Toolkit for Applications 6"}, {"cpe": "cpe:/a:redhat:migration_toolkit_virtualization:2", "fix_state": "Affected", "package_name": "migration-toolkit-virtualization/mtv-api-rhel9", "product_name": "Migration Toolkit for Virtualization"}, {"cpe": "cpe:/a:redhat:mirror_registry:1", "fix_state": "Affected", "package_name": "mirror-registry-container", "product_name": "mirror registry for Red Hat OpenShift"}, {"cpe": "cpe:/a:redhat:network_bound_disk_encryption_tang:1", "fix_state": "Affected", "package_name": "tang-operator-container", "product_name": "NBDE Tang Server"}, {"cpe": "cpe:/a:redhat:network_observ_optr:1", "fix_state": "Not affected", "package_name": "network-observability/network-observability-rhel9-operator", "product_name": "Network Observability Operator"}, {"cpe": "cpe:/a:redhat:workload_availability_node_healthcheck", "fix_state": "Not affected", "package_name": "workload-availability/node-healthcheck-rhel8-operator", "product_name": "Node HealthCheck Operator"}, {"cpe": "cpe:/a:redhat:workload_availability_nmo:5", "fix_state": "Not affected", "package_name": "workload-availability/node-maintenance-rhel8-operator", "product_name": "Node Maintenance Operator"}, {"cpe": "cpe:/a:redhat:ocp_tools", "fix_state": "Affected", "package_name": "helm", "product_name": "OpenShift Developer Tools and Services"}, {"cpe": "cpe:/a:redhat:ocp_tools", "fix_state": "Will not fix", "package_name": "ocp-tools-4/jenkins-rhel8", "product_name": "OpenShift Developer Tools and Services"}, {"cpe": "cpe:/a:redhat:openshift_pipelines:1", "fix_state": "Affected", "package_name": "openshift-pipelines-client", "product_name": "OpenShift Pipelines"}, {"cpe": "cpe:/a:redhat:serverless:1", "fix_state": "Not affected", "package_name": "openshift-serverless-1/client-kn-rhel8", "product_name": "OpenShift Serverless"}, {"cpe": "cpe:/a:redhat:serverless:1", "fix_state": "Not affected", "package_name": "openshift-serverless-clients", "product_name": "OpenShift Serverless"}, {"cpe": "cpe:/a:redhat:openshift_power_monitoring", "fix_state": "Affected", "package_name": "kepler-container", "product_name": "Power monitoring for Red Hat OpenShift"}, {"cpe": "cpe:/a:redhat:red_hat_3scale_amp:2", "fix_state": "Affected", "package_name": "3scale-operator-container", "product_name": "Red Hat 3scale API Management Platform 2"}, {"cpe": "cpe:/a:redhat:acm:2", "fix_state": "Affected", "package_name": "rhacm2/subctl-rhel9", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2"}, {"cpe": "cpe:/a:redhat:advanced_cluster_security:3", "fix_state": "Affected", "package_name": "advanced-cluster-security/rhacs-main-rhel8", "product_name": "Red Hat Advanced Cluster Security 3"}, {"cpe": "cpe:/a:redhat:advanced_cluster_security:4", "fix_state": "Affected", "package_name": "advanced-cluster-security/rhacs-main-rhel8", "product_name": "Red Hat Advanced Cluster Security 4"}, {"cpe": "cpe:/a:redhat:ansible_automation_platform:2", "fix_state": "Affected", "package_name": "aap-cloud-ui-container", "product_name": "Red Hat Ansible Automation Platform 2"}, {"cpe": "cpe:/a:redhat:ansible_automation_platform:2", "fix_state": "Not affected", "package_name": "receptor", "product_name": "Red Hat Ansible Automation Platform 2"}, {"cpe": "cpe:/a:redhat:ceph_storage:5", "fix_state": "Affected", "package_name": "rhceph/rhceph-5-dashboard-rhel8", "product_name": "Red Hat Ceph Storage 5"}, {"cpe": "cpe:/a:redhat:certifications:1::el8", "fix_state": "Affected", "package_name": "redhat-certification-preflight", "product_name": "Red Hat Certification for Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/a:redhat:certifications:1::el9", "fix_state": "Affected", "package_name": "redhat-certification-preflight", "product_name": "Red Hat Certification for Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/a:redhat:devtools:", "fix_state": "Will not fix", "package_name": "go-toolset-1.19-golang", "product_name": "Red Hat Developer Tools"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "git-lfs", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "go-toolset:rhel8/golang", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Affected", "package_name": "go-toolset:rhel8/go-toolset", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Will not fix", "package_name": "grafana", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Will not fix", "package_name": "grafana-pcp", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Will not fix", "package_name": "osbuild-composer", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "weldr-client", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "butane", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "conmon", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "git-lfs", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "golang", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Will not fix", "package_name": "grafana", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Will not fix", "package_name": "grafana-pcp", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "ignition", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Will not fix", "package_name": "osbuild-composer", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "toolbox", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "weldr-client", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Not affected", "package_name": "conmon", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Not affected", "package_name": "cri-o", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Not affected", "package_name": "cri-tools", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Not affected", "package_name": "golang-github-prometheus-promu", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Not affected", "package_name": "ignition", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift_data_science", "fix_state": "Will not fix", "package_name": "rhods/odh-mm-rest-proxy-rhel8", "product_name": "Red Hat OpenShift Data Science (RHODS)"}, {"cpe": "cpe:/a:redhat:openshift_devspaces:3:", "fix_state": "Not affected", "package_name": "devspaces/udi-rhel8", "product_name": "Red Hat OpenShift Dev Spaces"}, {"cpe": "cpe:/a:redhat:openshift_distributed_tracing:2", "fix_state": "Not affected", "package_name": "rhosdt/tempo-rhel8", "product_name": "Red Hat OpenShift distributed tracing 2"}, {"cpe": "cpe:/a:redhat:openshift_distributed_tracing:3", "fix_state": "Not affected", "package_name": "rhosdt/tempo-rhel8", "product_name": "Red Hat OpenShift distributed tracing 3"}, {"cpe": "cpe:/a:redhat:openshift_gitops:1", "fix_state": "Not affected", "package_name": "openshift-gitops-1/gitops-rhel8", "product_name": "Red Hat OpenShift GitOps"}, {"cpe": "cpe:/a:redhat:openshift_service_on_aws:1", "fix_state": "Affected", "package_name": "rosa", "product_name": "Red Hat OpenShift on AWS"}, {"cpe": "cpe:/a:redhat:openshift_sandboxed_containers:1", "fix_state": "Affected", "package_name": "openshift-sandboxed-containers/osc-rhel8-operator", "product_name": "Red Hat Openshift Sandboxed Containers"}, {"cpe": "cpe:/a:redhat:container_native_virtualization:4", "fix_state": "Not affected", "package_name": "kubevirt", "product_name": "Red Hat OpenShift Virtualization 4"}, {"cpe": "cpe:/a:redhat:openstack:16.2", "fix_state": "Affected", "package_name": "etcd", "product_name": "Red Hat OpenStack Platform 16.2"}, {"cpe": "cpe:/a:redhat:openstack:16.2", "fix_state": "Affected", "package_name": "golang-github-infrawatch-apputils", "product_name": "Red Hat OpenStack Platform 16.2"}, {"cpe": "cpe:/a:redhat:openstack:16.2", "fix_state": "Affected", "package_name": "rhosp-rhel8/osp-director-agent", "product_name": "Red Hat OpenStack Platform 16.2"}, {"cpe": "cpe:/a:redhat:openstack:17.1", "fix_state": "Affected", "package_name": "golang-github-infrawatch-apputils", "product_name": "Red Hat OpenStack Platform 17.1"}, {"cpe": "cpe:/a:redhat:openstack:18.0", "fix_state": "Will not fix", "package_name": "etcd", "product_name": "Red Hat OpenStack Platform 18.0"}, {"cpe": "cpe:/a:redhat:openstack:18.0", "fix_state": "Affected", "package_name": "ovn-operator-container", "product_name": "Red Hat OpenStack Platform 18.0"}, {"cpe": "cpe:/a:redhat:quay:3", "fix_state": "Affected", "package_name": "quay/clair-rhel8", "product_name": "Red Hat Quay 3"}, {"cpe": "cpe:/a:redhat:satellite:6", "fix_state": "Not affected", "package_name": "yggdrasil-worker-forwarder", "product_name": "Red Hat Satellite 6"}, {"cpe": "cpe:/a:redhat:storage:3", "fix_state": "Affected", "package_name": "golang", "product_name": "Red Hat Storage 3"}, {"cpe": "cpe:/a:redhat:webterminal:1", "fix_state": "Under investigation", "package_name": "web-terminal-exec-container", "product_name": "Red Hat Web Terminal"}, {"cpe": "cpe:/a:redhat:workload_availability_self_node_remediation", "fix_state": "Not affected", "package_name": "workload-availability/self-node-remediation-rhel8-operator", "product_name": "Self Node Remediation Operator"}], "public_date": "2023-12-05T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2023-45287\nhttps://nvd.nist.gov/vuln/detail/CVE-2023-45287\nhttps://pkg.go.dev/vuln/GO-2023-2375"], "statement": "The identified flaw in the Golang crypto/tls library, is assessed as a moderate severity issue rather than important due to several mitigating factors. Although the vulnerability exposes a Timing Side Channel, potentially allowing information retrieval through RSA-based TLS key exchanges, its exploitation demands significant access and expertise. Additionally, while earlier versions implemented RSA blinding to counter timing attacks, the removal of PKCS#1 padding may still leak timing data. However, the practicality of exploiting this flaw is limited, and the transition to a fully constant time RSA implementation in Go 1.20 significantly bolsters security, reducing the risk posed by timing side channels.", "threat_severity": "Moderate", "upstream_fix": "golang 1.20"}