Uploaded image for project: 'Go Driver'
  1. Go Driver
  2. GODRIVER-3159

CVE-2023-48795, CVE-2023-42818 known vulnerability in youmark/pkcs8

    • Type: Icon: Bug Bug
    • Resolution: Fixed
    • Priority: Icon: Unknown Unknown
    • 2.0.0, 1.17.0
    • Affects Version/s: None
    • Component/s: None
    • None
    • Go Drivers
    • Not Needed
    • Hide

      1. What would you like to communicate to the user about this feature?
      2. Would you like the user to see examples of the syntax and/or executable code and its output?
      3. Which versions of the driver/connector does this apply to?

      Show
      1. What would you like to communicate to the user about this feature? 2. Would you like the user to see examples of the syntax and/or executable code and its output? 3. Which versions of the driver/connector does this apply to?

      Detailed steps to reproduce the problem?

      From SECBUG-237:

      The Go driver makes use of a library github.com/youmark/pkcs8. Which has not updated its golang.org/x/crypto dependency. Which has been patched recently for the following security vulnerabilities: * CVE-2023-48795 5.9 Insufficient Verification of Data Authenticity vulnerability with Medium severity found * CVE-2023-42818 9.8 Improper Restriction of Excessive Authentication Attempts vulnerability with High severity found

      CVE-2023-48795: https://nvd.nist.gov/vuln/detail/CVE-2023-48795
      CVE-2023-42818: https://nvd.nist.gov/vuln/detail/CVE-2023-42818

      Definition of done: what must be done to consider the task complete?

      The x509 library has ParsePKCS8PrivateKey, but it is for PKCS #8 and the current requirement is for PKCS #5. Go's support for encrypted private keys only handles decryption of the outer PEM layer, it does not support decryption of the PEM-decoded PKCS8 data. See Go issue #8860. Recommend copying the minimal code from https://github.com/youmark/pkcs8 required for the Go Driver. Here is a gist of what we would need.

      The exact Go version used, with patch level:

      go version go1.21.4 darwin/arm64

      The exact version of the Go driver used:

      1.14.0

      Describe how MongoDB is set up. Local vs Hosted, version, topology, load balanced, etc.

      local, 8.0.0-alpha-5176-gbfdc5ac, replica-set

      The operating system and version (e.g. Windows 7, OSX 10.8, ...)

      Sonoma 14.3

      Security Vulnerabilities

      NA

            Assignee:
            preston.vasquez@mongodb.com Preston Vasquez
            Reporter:
            preston.vasquez@mongodb.com Preston Vasquez
            Votes:
            1 Vote for this issue
            Watchers:
            5 Start watching this issue

              Created:
              Updated:
              Resolved: