CVE-2014-7189

Description

When SessionTicketsDisabled is enabled, crypto/tls allowed man-in-the-middle attackers to spoof clients via unspecified vectors. If the server enables TLS client authentication using certificates (this is rare) and explicitly sets SessionTicketsDisabled to true in the tls.Config, then a malicious client can falsely assert ownership of any client certificate it wishes.

How to fix CVE-2014-7189

To remediate CVE-2014-7189, upgrade the affected package to a fixed version below.

• Go/stdlib—upgrade to 1.3.2 or later

Is CVE-2014-7189 being exploited?

Low — EPSS is 0.3%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

• >= 1.1.0-0, < 1.3.2

References (3)

• PATCHgo.dev/cl/148080043
• REPORTgo.dev/issue/53085
• WEBgroups.google.com/g/golang-nuts/c/eeOHNw_shwU/m/OHALUmroA5kJ