CVE-2022-27191

Public on 2022-03-18

Modified on 2023-08-31

Description

A broken cryptographic algorithm flaw was found in golang.org/x/crypto/ssh. This issue causes a client to fail authentification with RSA keys to servers that reject signature algorithms based on SHA-2, enabling an attacker to crash the server, resulting in a loss of availability.

Severity

Medium

CVSS v3 Base Score

7.5

See breakdown

Affected Packages

Platform	Package	Release Date	Advisory	Status
Amazon Linux 1	amazon-ssm-agent	2023-08-30	ALAS-2023-1825	Fixed
Amazon Linux 2 - Core	amazon-ssm-agent	2023-08-31	ALAS2-2023-2238	Fixed
Amazon Linux 2023	amazon-ssm-agent	2023-08-31	ALAS2023-2023-339	Fixed
Amazon Linux 2 - Core	go-rpm-macros	2022-10-17	ALAS2-2022-1863	Fixed
Amazon Linux 1	golang	2022-09-15	ALAS-2022-1635	Fixed
Amazon Linux 2 - Core	golang	2022-09-15	ALAS2-2022-1846	Fixed
Amazon Linux 2023	golang	2023-02-17	ALAS2023-2023-048	Fixed
Amazon Linux 2023	golang-github-cpuguy83-md2man	2023-02-17	ALAS2023-2023-047	Fixed
Amazon Linux 2 - Core	golang-github-godbus-dbus	2022-10-17	ALAS2-2022-1858	Fixed
Amazon Linux 2 - Core	golang-github-gorilla-context	2022-10-17	ALAS2-2022-1859	Fixed
Amazon Linux 2 - Core	golang-github-gorilla-mux	2022-10-17	ALAS2-2022-1860	Fixed
Amazon Linux 2 - Core	golang-github-kr-pty	2022-10-17	ALAS2-2022-1864	Fixed
Amazon Linux 2 - Core	golang-github-syndtr-gocapability	2022-10-17	ALAS2-2022-1865	Fixed
Amazon Linux 2 - Core	golang-googlecode-net	2022-10-17	ALAS2-2022-1861	Fixed
Amazon Linux 2 - Core	golang-googlecode-sqlite	2022-10-17	ALAS2-2022-1862	Fixed
Amazon Linux 2 - Core	golist	2022-09-15	ALAS2-2022-1847	Fixed
Amazon Linux 2023	golist	2023-02-17	ALAS2023-2023-046	Fixed
Amazon Linux 2 - Docker Extra	runc	2022-09-30	ALAS2DOCKER-2022-020	Fixed

CVSS Scores

	Score Type	Score	Vector
Amazon Linux	CVSSv3	7.5	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
NVD	CVSSv3	7.5	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
NVD	CVSSv2	4.3	AV:N/AC:M/Au:N/C:N/I:N/A:P

References

Red Hat: CVE-2022-27191 Mitre: CVE-2022-27191