#VU17245 Resource exhaustion in Go programming language - CVE-2019-6486
Published: January 24, 2019 / Updated: January 28, 2019
Vulnerability identifier: #VU17245
Vulnerability risk: Low
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:P/U:Clear
CVE-ID: CVE-2019-6486
CWE-ID: CWE-400
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
Go programming language
Go programming language
Software vendor:
Google
Description
The vulnerability allows a remote attacker to cause DoS condition.
The vulnerability exists in the crypto/elliptic implementations of the P-521 and P-384 elliptic curves due to insufficient validation of user-supplied input. A remote attacker can submit specially crafted inputs via TLS handshakes, X.509 certificates, JWT tokens, ECDH shares or ECDSA signatures, consume excessive amounts of CPU and cause the service to crash.
Remediation
Install update from vendor's website.