CVE-2022-30629: 
cAdvisor vulnerability analysis and mitigation

CVE-2022-30629 affects the crypto/tls package in Go versions before 1.17.11 and 1.18.3. The vulnerability stems from non-random values being used for ticketageadd in session tickets, which was discovered and disclosed in May 2022. The issue affects the TLS implementation in Go programming language, specifically impacting applications using the crypto/tls package for secure communications (Go Issue, NVD).

The vulnerability exists because crypto/tls always sets newSessionTicketMsgTLS13.ageAdd to 0, violating the TLS 1.3 specification (RFC 8446, section 4.6.1) which requires ticketageadd to be a securely generated, random 32-bit value. This value is used to obscure the age of the ticket that the client includes in the presharedkey extension. The CVSS v3.1 base score is 3.1 (Low) with vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N (NVD).

The vulnerability allows an attacker who can observe TLS handshakes to correlate successive connections by comparing ticket ages during session resumption. This could potentially lead to tracking or identification of client sessions, compromising the privacy and anonymity of TLS connections (Go Announce).

The vulnerability has been fixed in Go versions 1.17.11 and 1.18.3. The fix involves implementing proper random generation of the ticketageadd value as required by the TLS 1.3 specification. Users are advised to upgrade to these patched versions or later to address the vulnerability (Go Announce).