CVE-2022-30629 — Use of Insufficiently Random Values in Standard Library Crypto TLS

CWE-330 — Use of Insufficiently Random Values CWE-331 — Insufficient Entropy10 documents8 sources

Severity

3.1LOWNVD

EPSS

0.1%

top 79.63%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

GO Standard Library Crypto TLS Golang GO

Timeline

PublishedAug 10

Latest updateJan 9

Description

Non-random values for ticket_age_add in session tickets in crypto/tls before Go 1.17.11 and Go 1.18.3 allow an attacker that can observe TLS handshakes to correlate successive connections by comparing ticket ages during session resumption.

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:NExploitability: 1.6 | Impact: 1.4

Affected Packages2 packages

▶CVEListV5go_standard_library/crypto_tls1.18.0-0 — 1.18.3+1

▶NVDgolang/go1.18.0 — 1.18.3+1

Patches

Patch: go.dev ↗Patch: go.googlesource.com ↗Patch: go.dev ↗

🔴Vulnerability Details

GHSA

GHSA-j55j-52j7-vq87: Non-random values for ticket_age_add in session tickets in crypto/tls before Go 1↗2022-08-11

▶

OSV

CVE-2022-30629: Non-random values for ticket_age_add in session tickets in crypto/tls before Go 1↗2022-08-10

▶

CVEList

Session tickets lack random ticket_age_add in crypto/tls↗2022-08-09

▶

OSV

Session tickets lack random ticket_age_add in crypto/tls↗2022-07-28

▶

📋Vendor Advisories

Ubuntu

Go vulnerabilities↗2024-01-09

▶

Ubuntu

Go vulnerabilities↗2023-04-25

▶

Microsoft

Session tickets lack random ticket_age_add in crypto/tls↗2022-08-09

▶

Red Hat

golang: crypto/tls: session tickets lack random ticket_age_add↗2022-06-02

▶

Debian

CVE-2022-30629: golang-1.15 - Non-random values for ticket_age_add in session tickets in crypto/tls before Go ...↗2022

▶