| id: GO-2022-0531 |
| modules: |
| - module: std |
| versions: |
| - fixed: 1.17.11 |
| - introduced: 1.18.0-0 |
| - fixed: 1.18.3 |
| vulnerable_at: 1.18.2 |
| packages: |
| - package: crypto/tls |
| symbols: |
| - serverHandshakeStateTLS13.sendSessionTickets |
| summary: Session tickets lack random ticket_age_add in crypto/tls |
| description: |- |
| An attacker can correlate a resumed TLS session with a previous connection. |
| |
| Session tickets generated by crypto/tls do not contain a randomly generated |
| ticket_age_add, which allows an attacker that can observe TLS handshakes to |
| correlate successive connections by comparing ticket ages during session |
| resumption. |
| published: 2022-07-28T17:24:57Z |
| credits: |
| - Github user @nervuri |
| references: |
| - fix: https://go.dev/cl/405994 |
| - fix: https://go.googlesource.com/go/+/fe4de36198794c447fbd9d7cc2d7199a506c76a5 |
| - report: https://go.dev/issue/52814 |
| - web: https://groups.google.com/g/golang-announce/c/TzIC9-t8Ytg/m/IWz5T6x7AAAJ |
| cve_metadata: |
| id: CVE-2022-30629 |
| cwe: 'CWE-200: Information Exposure' |
| description: |- |
| Non-random values for ticket_age_add in session tickets in crypto/tls before Go |
| 1.17.11 and Go 1.18.3 allow an attacker that can observe TLS handshakes to |
| correlate successive connections by comparing ticket ages during session |
| resumption. |
| review_status: REVIEWED |