Fedora 34 update for bettercap, chisel, commit-stream, containerd, gobuster, golang-contrib-opencensus-resource, golang-gioui, golang-github-appc-docker2aci, golang-github-appc-goaci, golang-github-appc-spec, golang-github-containerd-continuity, golang-gi

1) Use of a broken or risky cryptographic algorithm

EUVDB-ID: #VU62039

Risk: Medium

CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2022-27191

CWE-ID: CWE-327 - Use of a Broken or Risky Cryptographic Algorithm

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to an error in golang.org/x/crypto/ssh before 0.0.0-20220314234659-1baeb1ce4c0b, as used in Go programming language. A remote attacker can crash a server in certain circumstances involving AddHostKey.

Mitigation

Install updates from vendor's repository.

Vulnerable software versions

Fedora: 34

xq: before 0.0.7-3.fc34

snowcrash: before 0-0.6.20201119git49b99ad.fc34

shhgit: before 0.2-6.fc34

shellz: before 1.5.0-6.fc34

onionscan: before 0.2-6.fc34

grpcurl: before 1.8.6-2.fc34

golang-x-perf: before 0-0.14.20210123gitbdcc622.fc34

golang-storj-drpc: before 0.0.16-5.fc34

golang-mongodb-mongo-driver: before 1.4.5-5.fc34

golang-k8s-sample-controller: before 1.22.0-3.fc34

golang-k8s-sample-apiserver: before 1.22.0-4.fc34

golang-k8s-kube-aggregator: before 1.22.0-3.fc34

golang-k8s-code-generator: before 1.22.0-3.fc34

golang-k8s-apiextensions-apiserver: before 1.22.0-5.fc34

golang-gopkg-src-d-git-4: before 4.13.1-7.fc34

golang-github-xordataexchange-crypt: before 0.0.2-11.20190412gitb2862e3.fc34

golang-github-theupdateframework-notary: before 0.7.0-4.fc34

golang-github-spf13-cobra: before 1.4.0-2.fc34

golang-github-redteampentesting-monsoon: before 0.6.0-5.fc34

golang-github-prometheus-tsdb: before 0.10.0-6.fc34

golang-github-prometheus-node-exporter: before 1.3.1-7.fc34

golang-github-prometheus-alertmanager: before 0.23.0-8.fc34

golang-github-prometheus: before 2.32.1-4.fc34

golang-github-pact-foundation: before 1.5.1-5.fc34

golang-github-oklog: before 0.3.2-9.20190701gitca7cdf5.fc34

golang-github-intel-goresctrl: before 0.2.0-4.fc34

golang-github-instrumenta-kubeval: before 0.15.0-7.fc34

golang-github-googlecloudplatform-cloudsql-proxy: before 1.19.1-5.fc34

golang-github-googleapis-gnostic: before 0.5.3-5.fc34

golang-github-google-slothfs: before 0-0.10.20200727git59c1163.fc34

golang-github-google-containerregistry: before 0.5.1-4.fc34

golang-github-gohugoio-testmodbuilder: before 0-0.9.20201030git72e1e0c.fc34

golang-github-gogo-googleapis: before 1.4.1-3.fc34

golang-github-francoispqt-gojay: before 1.2.13-6.fc34

golang-github-envoyproxy-protoc-gen-validate: before 0.4.1-5.fc34

golang-github-coredns-corefile-migration: before 1.0.11-5.fc34

golang-github-containerd-stargz-snapshotter: before 0.7.0-4.fc34

golang-github-containerd-continuity: before 0.2.2-2.fc34

golang-github-appc-spec: before 0.8.11-13.fc34

golang-github-appc-goaci: before 0.1.1-10.fc34

golang-github-appc-docker2aci: before 0.17.2-8.fc34

golang-gioui: before 0-7.20201225git18d4dbf.fc34

golang-contrib-opencensus-resource: before 0.1.2-6.fc34

gobuster: before 3.1.0-2.fc34

containerd: before 1.6.2-3.fc34

commit-stream: before 0.1.2-6.fc34

chisel: before 1.7.7-2.fc34

bettercap: before 2.28-9.fc34

CPE2.3

• cpe:2.3:o:fedoraproject:fedora:34:*:*:*:*:*:*:*
• cpe:2.3:a:fedoraproject:xq:*:*:*:*:*:fedora:*:*
• cpe:2.3:a:fedoraproject:snowcrash:*:*:*:*:*:fedora:*:*
• cpe:2.3:a:fedoraproject:shhgit:*:*:*:*:*:fedora:*:*
• cpe:2.3:a:fedoraproject:shellz:*:*:*:*:*:fedora:*:*
• cpe:2.3:a:fedoraproject:onionscan:*:*:*:*:*:fedora:*:*
• cpe:2.3:a:fedoraproject:grpcurl:*:*:*:*:*:fedora:*:*
• cpe:2.3:a:fedoraproject:golang-x-perf:*:*:*:*:*:fedora:*:*
• cpe:2.3:a:fedoraproject:golang-storj-drpc:*:*:*:*:*:fedora:*:*
• cpe:2.3:a:fedoraproject:golang-mongodb-mongo-driver:*:*:*:*:*:fedora:*:*
• cpe:2.3:a:fedoraproject:golang-k8s-sample-controller:*:*:*:*:*:fedora:*:*
• cpe:2.3:a:fedoraproject:golang-k8s-sample-apiserver:*:*:*:*:*:fedora:*:*
• cpe:2.3:a:fedoraproject:golang-k8s-kube-aggregator:*:*:*:*:*:fedora:*:*
• cpe:2.3:a:fedoraproject:golang-k8s-code-generator:*:*:*:*:*:fedora:*:*
• cpe:2.3:a:fedoraproject:golang-k8s-apiextensions-apiserver:*:*:*:*:*:fedora:*:*
• cpe:2.3:a:fedoraproject:golang-gopkg-src-d-git-4:*:*:*:*:*:fedora:*:*
• cpe:2.3:a:fedoraproject:golang-github-xordataexchange-crypt:*:*:*:*:*:fedora:*:*
• cpe:2.3:a:fedoraproject:golang-github-theupdateframework-notary:*:*:*:*:*:fedora:*:*
• cpe:2.3:a:fedoraproject:golang-github-spf13-cobra:*:*:*:*:*:fedora:*:*
• cpe:2.3:a:fedoraproject:golang-github-redteampentesting-monsoon:*:*:*:*:*:fedora:*:*
• cpe:2.3:a:fedoraproject:golang-github-prometheus-tsdb:*:*:*:*:*:fedora:*:*
• cpe:2.3:a:fedoraproject:golang-github-prometheus-node-exporter:*:*:*:*:*:fedora:*:*
• cpe:2.3:a:fedoraproject:golang-github-prometheus-alertmanager:*:*:*:*:*:fedora:*:*
• cpe:2.3:a:fedoraproject:golang-github-prometheus:*:*:*:*:*:fedora:*:*
• cpe:2.3:a:fedoraproject:golang-github-pact-foundation:*:*:*:*:*:fedora:*:*
• cpe:2.3:a:fedoraproject:golang-github-oklog:*:*:*:*:*:fedora:*:*
• cpe:2.3:a:fedoraproject:golang-github-intel-goresctrl:*:*:*:*:*:fedora:*:*
• cpe:2.3:a:fedoraproject:golang-github-instrumenta-kubeval:*:*:*:*:*:fedora:*:*
• cpe:2.3:a:fedoraproject:golang-github-googlecloudplatform-cloudsql-proxy:*:*:*:*:*:fedora:*:*
• cpe:2.3:a:fedoraproject:golang-github-googleapis-gnostic:*:*:*:*:*:fedora:*:*
• cpe:2.3:a:fedoraproject:golang-github-google-slothfs:*:*:*:*:*:fedora:*:*
• cpe:2.3:a:fedoraproject:golang-github-google-containerregistry:*:*:*:*:*:fedora:*:*
• cpe:2.3:a:fedoraproject:golang-github-gohugoio-testmodbuilder:*:*:*:*:*:fedora:*:*
• cpe:2.3:a:fedoraproject:golang-github-gogo-googleapis:*:*:*:*:*:fedora:*:*
• cpe:2.3:a:fedoraproject:golang-github-francoispqt-gojay:*:*:*:*:*:fedora:*:*
• cpe:2.3:a:fedoraproject:golang-github-envoyproxy-protoc-gen-validate:*:*:*:*:*:fedora:*:*
• cpe:2.3:a:fedoraproject:golang-github-coredns-corefile-migration:*:*:*:*:*:fedora:*:*
• cpe:2.3:a:fedoraproject:golang-github-containerd-stargz-snapshotter:*:*:*:*:*:fedora:*:*
• cpe:2.3:a:fedoraproject:golang-github-containerd-continuity:*:*:*:*:*:fedora:*:*
• cpe:2.3:a:fedoraproject:golang-github-appc-spec:*:*:*:*:*:fedora:*:*
• cpe:2.3:a:fedoraproject:golang-github-appc-goaci:*:*:*:*:*:fedora:*:*
• cpe:2.3:a:fedoraproject:golang-github-appc-docker2aci:*:*:*:*:*:fedora:*:*
• cpe:2.3:a:fedoraproject:golang-gioui:*:*:*:*:*:fedora:*:*
• cpe:2.3:a:fedoraproject:golang-contrib-opencensus-resource:*:*:*:*:*:fedora:*:*
• cpe:2.3:a:fedoraproject:gobuster:*:*:*:*:*:fedora:*:*
• cpe:2.3:a:fedoraproject:containerd:*:*:*:*:*:fedora:*:*
• cpe:2.3:a:fedoraproject:commit-stream:*:*:*:*:*:fedora:*:*
• cpe:2.3:a:fedoraproject:chisel:*:*:*:*:*:fedora:*:*
• cpe:2.3:a:fedoraproject:bettercap:*:*:*:*:*:fedora:*:*

External links

https://bodhi.fedoraproject.org/updates/FEDORA-2022-5cbd6de569

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.