Go crypto/tls: Information disclosure in Encrypted Client Hello
Summary
Handshakes which used Encrypted Client Hello could be de-anonymized by a passive network observer due to a disclosure of pre-shared key identities in the unencrypted client hello. A flaw was found in the `crypto/tls` package in Go. The vulnerability stems from the unintentional exposure of pre-shared key identities within the unencrypted client hello, potentially enabling an attacker to link previously anonymous connections. This primarily affects the privacy of communications rather than integrity or availability. Red Hat severity: Moderate — CVSS 5.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N). Weakness: CWE-201. Affected products named by the advisory: Assisted Installer for Red Hat OpenShift Container Platform 2; cert-manager Operator for Red Hat OpenShift; Compliance Operator; Confidential Compute Attestation; and 36 more.
Mitigation checklist
- Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability.
Official advisory · high-confidence parse· fetched 23 minutes ago·verify at source
Discussion(0)
No comments yet. Share field notes, upgrade gotchas, or questions — verify against the vendor advisory before acting on community advice.
Sign in to join the discussion.