CVE-2022-41724
CVE Details
Last Update
11/7/2024
NIST CVE Summary
Large handshake records may cause panics in crypto/tls. Both clients and servers may send large TLS handshake records which cause servers and clients, respectively, to panic when attempting to construct responses. This affects all TLS 1.3 clients, TLS 1.2 clients which explicitly enable session resumption (by setting Config.ClientSessionCache to a non-nil value), and TLS 1.3 servers which request client certificates (by setting Config.ClientAuth >= RequestClientCert).
Our Official Summary
A vulnerability in crypto-tls in Go affects the component TLS Handshake Handler. The product does not properly control the allocation and maintenance of a limited resource, when handling large handshake records, thereby enabling an actor to influence the amount of resources consumed, eventually leading to the exhaustion of available resources. A fix is available in latest versions of go. All the images affected will be upgraded to the latest versions.
CVE Severity
Status
Ongoing
Affected Products & Versions
- Palette VerteX airgap 4.4.18
- Palette VerteX 4.5.3, 4.5.8
- Palette Enterprise 4.5.3, 4.5.8
Revision History
- 1.0 09/15/2024 Initial Publication
- 2.0 09/15/2024 Added palette VerteX airgap 4.4.18 to Affected Products
- 3.0 10/10/2024 CVE remediated in Palette VerteX airgap 4.5.3
- 4.0 10/14/2024 Added Palette Enterprise & Palette VerteX 4.5.3 to Affected Products
- 5.0 11/7/2024 Added Palette Enterprise & Palette VerteX 4.5.8 to Affected Products