CVE-2023-29409: 
Docker vulnerability analysis and mitigation

A vulnerability identified as CVE-2023-29409 was discovered in the crypto/tls component of Golang, affecting versions prior to 1.19.12, 1.20.0 prior to 1.20.7, and 1.21.0-0 prior to 1.21.0-rc4. The vulnerability involves the verification of certificate chains containing extremely large RSA keys, which can cause significant CPU time consumption during TLS handshakes (Go Packages, NVD).

The vulnerability occurs when extremely large RSA keys in certificate chains cause a client/server to expend significant CPU time verifying signatures. As a mitigation, the size of RSA keys transmitted during handshakes is restricted to <= 8192 bits. Based on a survey of publicly trusted RSA keys, only three certificates in circulation had keys larger than this limit, all of which appeared to be test certificates not actively deployed. The vulnerability has been assigned a CVSS v3.1 base score of 5.3 (MEDIUM) with a vector of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L (NVD).

The successful exploitation of this vulnerability could lead to a Denial of Service (DoS) condition. The vulnerability affects the performance of TLS handshakes when processing certificate chains containing large RSA keys, potentially causing significant resource consumption (NetApp Security).

The vulnerability has been fixed in Go versions 1.19.12, 1.20.7, and 1.21.0-rc4 and later. The fix implements a restriction on RSA key sizes to <= 8192 bits during handshakes. Users are advised to upgrade to these patched versions or later to address the vulnerability (Golang Announce).