blob: 7c248ee140b92038d0cd9dba71762a60f9428a59 [file] [log] [blame]
id: GO-2022-0187
modules:
- module: std
versions:
- introduced: 1.6.0-0
- fixed: 1.7.6
- introduced: 1.8.0-0
- fixed: 1.8.2
vulnerable_at: 1.8.1
packages:
- package: crypto/elliptic
goarch:
- amd64
symbols:
- p256SubInternal
summary: Incorrect computation for P-256 curves in crypto/elliptic
description: |-
The ScalarMult implementation of curve P-256 for amd64 architectures generates
incorrect results for certain specific input points. An adaptive attack can
progressively extract the scalar input to ScalarMult by submitting crafted
points and observing failures to derive correct output. This leads to a full key
recovery attack against static ECDH, as used in popular JWT libraries.
published: 2022-07-01T20:11:15Z
cves:
- CVE-2017-8932
credits:
- Vlad Krasnov
- Filippo Valsorda at Cloudflare
references:
- fix: https://go.dev/cl/41070
- fix: https://go.googlesource.com/go/+/9294fa2749ffee7edbbb817a0ef9fe633136fa9c
- report: https://go.dev/issue/20040
- web: https://groups.google.com/g/golang-announce/c/B5ww0iFt1_Q/m/TgUFJV14BgAJ
review_status: REVIEWED