Vulnerability Description
The Int.Exp Montgomery code in the math/big library in Go 1.5.x before 1.5.3 mishandles carry propagation and produces incorrect output, which makes it easier for attackers to obtain private RSA keys via unspecified vectors.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Opensuse | Leap | 42.1 |
| Golang | Go | 1.5 |
Related Weaknesses (CWE)
References
- http://lists.fedoraproject.org/pipermail/package-announce/2016-January/175642.ht
- http://lists.fedoraproject.org/pipermail/package-announce/2016-January/176179.ht
- http://lists.opensuse.org/opensuse-updates/2016-05/msg00077.html
- http://www.openwall.com/lists/oss-security/2015/12/21/6
- http://www.openwall.com/lists/oss-security/2015/12/22/9
- http://www.openwall.com/lists/oss-security/2016/01/13/7
- https://github.com/golang/go/issues/13515Patch
- https://go-review.googlesource.com/#/c/17672/
- https://groups.google.com/forum/#%21topic/golang-announce/MEATuOi_ei4
- http://lists.fedoraproject.org/pipermail/package-announce/2016-January/175642.ht
- http://lists.fedoraproject.org/pipermail/package-announce/2016-January/176179.ht
- http://lists.opensuse.org/opensuse-updates/2016-05/msg00077.html
- http://www.openwall.com/lists/oss-security/2015/12/21/6
- http://www.openwall.com/lists/oss-security/2015/12/22/9
- http://www.openwall.com/lists/oss-security/2016/01/13/7
FAQ
What is CVE-2015-8618?
CVE-2015-8618 is a vulnerability with a CVSS score of 7.5 (HIGH). The Int.Exp Montgomery code in the math/big library in Go 1.5.x before 1.5.3 mishandles carry propagation and produces incorrect output, which makes it easier for attackers to obtain private RSA keys ...
How severe is CVE-2015-8618?
CVE-2015-8618 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2015-8618?
Check the references section above for vendor advisories and patch information. Affected products include: Opensuse Leap, Golang Go.