CVE-2024-24783: 
cAdvisor vulnerability analysis and mitigation

A vulnerability in Go's crypto/x509 package was discovered where verifying a certificate chain containing a certificate with an unknown public key algorithm causes Certificate.Verify to panic. This vulnerability, identified as CVE-2024-24783, affects all crypto/tls clients and servers that set Config.ClientAuth to VerifyClientCertIfGiven or RequireAndVerifyClientCert. The issue was discovered by John Howard from Google and was fixed in Go versions 1.21.8 and 1.22.1 (Go Announce).

The vulnerability exists in the certificate verification process of Go's crypto/x509 standard library package. When a certificate chain contains a certificate with an unknown public key algorithm, the Certificate.Verify function enters a panic state instead of handling the error gracefully. This affects the certificate verification process in TLS connections, though the default behavior for TLS servers is to not verify client certificates (NVD, Go Issue).

The successful exploitation of this vulnerability can lead to a Denial of Service (DoS) condition. When triggered, the panic in the Certificate.Verify function can cause the application to crash, potentially disrupting TLS-based services and client connections (NetApp Security).

The vulnerability has been fixed in Go versions 1.21.8 and 1.22.1. Users are advised to upgrade to these versions or later to address the issue. For Go 1.22.x, upgrade to version 1.22.1 or later, and for Go 1.21.x, upgrade to version 1.21.8 or later (Go Announce).