| id: GO-2022-0187 |
| modules: |
| - module: std |
| versions: |
| - introduced: 1.6.0-0 |
| - fixed: 1.7.6 |
| - introduced: 1.8.0-0 |
| - fixed: 1.8.2 |
| vulnerable_at: 1.8.1 |
| packages: |
| - package: crypto/elliptic |
| goarch: |
| - amd64 |
| symbols: |
| - p256SubInternal |
| summary: Incorrect computation for P-256 curves in crypto/elliptic |
| description: |- |
| The ScalarMult implementation of curve P-256 for amd64 architectures generates |
| incorrect results for certain specific input points. An adaptive attack can |
| progressively extract the scalar input to ScalarMult by submitting crafted |
| points and observing failures to derive correct output. This leads to a full key |
| recovery attack against static ECDH, as used in popular JWT libraries. |
| published: 2022-07-01T20:11:15Z |
| cves: |
| - CVE-2017-8932 |
| credits: |
| - Vlad Krasnov |
| - Filippo Valsorda at Cloudflare |
| references: |
| - fix: https://go.dev/cl/41070 |
| - fix: https://go.googlesource.com/go/+/9294fa2749ffee7edbbb817a0ef9fe633136fa9c |
| - report: https://go.dev/issue/20040 |
| - web: https://groups.google.com/g/golang-announce/c/B5ww0iFt1_Q/m/TgUFJV14BgAJ |
| review_status: REVIEWED |