Detailed steps to reproduce the problem?
From SECBUG-237:
The Go driver makes use of a library github.com/youmark/pkcs8. Which has not updated its golang.org/x/crypto dependency. Which has been patched recently for the following security vulnerabilities: * CVE-2023-48795 5.9 Insufficient Verification of Data Authenticity vulnerability with Medium severity found * CVE-2023-42818 9.8 Improper Restriction of Excessive Authentication Attempts vulnerability with High severity found
CVE-2023-48795: https://nvd.nist.gov/vuln/detail/CVE-2023-48795
CVE-2023-42818: https://nvd.nist.gov/vuln/detail/CVE-2023-42818
Definition of done: what must be done to consider the task complete?
The x509 library has ParsePKCS8PrivateKey, but it is for PKCS #8 and the current requirement is for PKCS #5. Go's support for encrypted private keys only handles decryption of the outer PEM layer, it does not support decryption of the PEM-decoded PKCS8 data. See Go issue #8860. Recommend copying the minimal code from https://github.com/youmark/pkcs8 required for the Go Driver. Here is a gist of what we would need.
The exact Go version used, with patch level:
go version go1.21.4 darwin/arm64
The exact version of the Go driver used:
1.14.0
Describe how MongoDB is set up. Local vs Hosted, version, topology, load balanced, etc.
local, 8.0.0-alpha-5176-gbfdc5ac, replica-set
The operating system and version (e.g. Windows 7, OSX 10.8, ...)
Sonoma 14.3
Security Vulnerabilities
NA
- documents
-
GODRIVER-3318 Remove youmark/pkcs8 dependency
- Backlog
- related to
-
GODRIVER-364 Support PKCS8 encrypted client private keys
- Closed