The net/http package's Request.ParseMultipartForm method starts writing to temporary files once the request body size surpasses the given "maxMemory" limit. It was possible for an attacker to generate a multipart request crafted such that the server ran out of file descriptors.

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available.

  - The net/http package's Request.ParseMultipartForm method starts writing to temporary files once the     request body size surpasses the given maxMemory limit. It was possible for an attacker to generate a     multipart request crafted such that the server ran out of file descriptors. (CVE-2017-1000098)

Note that Nessus relies on the presence of the package as reported by the vendor.

There are packages installed that are affected by a vulnerability referenced in the following CVE:

  - The net/http package's Request.ParseMultipartForm method starts writing to temporary files once the
    request body size surpasses the given "maxMemory" limit. It was possible for an attacker to generate a
    multipart request crafted such that the server ran out of file descriptors. (CVE-2017-1000098)

It was discovered that there was an issue in the Go programming language library where an attacker could generate a MIME request such that the server ran out of file descriptors.

For Debian 7 'Wheezy', this issue has been fixed in golang version 2:1.0.2-1.1+deb7u1.

We recommend that you upgrade your golang packages.

NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

An update for golang is now available for Red Hat Enterprise Linux 7.

Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

The golang packages provide the Go programming language compiler.

The following packages have been upgraded to a later upstream version:
golang (1.8.3). (BZ#1414500)

Security Fix(es) :

* A carry propagation flaw was found in the implementation of the P-256 elliptic curve in golang. An attacker could possibly use this flaw to extract private keys when static ECDH was used.
(CVE-2017-8932)

Additional Changes :

For detailed information on changes in this release, see the Red Hat Enterprise Linux 7.4 Release Notes linked from the References section.

ID	Name	Product	Family	Severity
260783	Linux Distros Unpatched Vulnerability : CVE-2017-1000098	Nessus	Misc.	high
428582	Golang: stdlib: security update to 1.6.4stdlib: security update to 1.7.4	Tenable Cloud Security	Golang	high
428582	Golang: stdlib: security update to 1.6.4stdlib: security update to 1.7.4	Tenable Self-Hosted Container Security	Golang	high
103708	Debian DLA-1123-1 : golang security update	Nessus	Debian Local Security Checks	high
102738	CentOS 7 : golang (CESA-2017:1859)	Nessus	CentOS Local Security Checks	medium
102103	RHEL 7 : golang (RHSA-2017:1859)	Nessus	Red Hat Local Security Checks	medium

Detections

Analytics

CVE-2017-1000098

high

Tenable Plugins

high

high

high

high

medium

medium