This week Go 1.5.3 was released to address a security vulnerability. CoreOS Linux itself and the CoreOS products shipped with it are not affected by this issue. Users of etcd and dex on other operating systems should take action.
This security issue, CVE-2015-8618, was introduced in Go 1.5 and causes errors in the RSA computations used by the standard library’s
crypto/tls. These errors potentially expose a user’s private key when an attacker is able to observe many RSA signatures. The problem is a greater risk to 32-bit systems than 64-bit systems, and Go TLS servers on 32-bit systems could very likely leak their RSA private keys due to this issue.
Any protocol implementation in Go that creates many RSA signatures could also be affected. Other uses of RSA, such as offline signing or signature validation, are at negligible risk of leaking keys in this way.
Users who have deployed dex or etcd on non-CoreOS, 32-bit systems are most at risk, and should consider rotating TLS keys after updating to the latest versions of affected projects, listed below. CoreOS Linux itself and the CoreOS products shipped with it are not affected by this issue, and future releases will remain unaffected as projects transition to Go 1.5 in its latest versions.
For more details about the bug, see:
- Go 1.5.3 release
- Red Hat’s Blog on the report, Factoring RSA Keys With TLS Perfect Forward Secrecy
Please download the latest version of affected products below: