https://blog.golang.org/path-security

https://groups.google.com/g/golang-announce/c/mperVMGa98w

FEDORA-2021-e435a8bb88

https://security.netapp.com/advisory/ntap-20210219-0001/

The remote CentOS Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the CESA-2021:1746 advisory.

  - golang: crypto/elliptic: incorrect operations on the P-224 curve (CVE-2021-3114)

  - golang: cmd/go: packages using cgo can cause arbitrary code execution at build time (CVE-2021-3115)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Oracle Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the ELSA-2021-1746 advisory.

  - Go before 1.14.14 and 1.15.x before 1.15.7 on Windows is vulnerable to Command Injection and remote code     execution when using the go get command to fetch modules that make use of cgo (for example, cgo can     execute a gcc program from an untrusted download). (CVE-2021-3115)

  - In Go before 1.14.14 and 1.15.x before 1.15.7, crypto/elliptic/p224.go can generate incorrect outputs,     related to an underflow of the lowest limb during the final complete reduction in the P-224 field.
    (CVE-2021-3114)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2021:1746 advisory.

  - golang: crypto/elliptic: incorrect operations on the P-224 curve (CVE-2021-3114)

  - golang: cmd/go: packages using cgo can cause arbitrary code execution at build time (CVE-2021-3115)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

An update of the go package has been released.

The version of golang installed on the remote host is prior to 1.15.8-1. It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2-2021-1609 advisory.

  - In Go before 1.14.14 and 1.15.x before 1.15.7, crypto/elliptic/p224.go can generate incorrect outputs,     related to an underflow of the lowest limb during the final complete reduction in the P-224 field.
    (CVE-2021-3114)

  - Go before 1.14.14 and 1.15.x before 1.15.7 on Windows is vulnerable to Command Injection and remote code     execution when using the go get command to fetch modules that make use of cgo (for example, cgo can     execute a gcc program from an untrusted download). (CVE-2021-3115)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Fedora 33 host has a package installed that is affected by multiple vulnerabilities as referenced in the FEDORA-2021-e435a8bb88 advisory.

  - In Go before 1.14.14 and 1.15.x before 1.15.7, crypto/elliptic/p224.go can generate incorrect outputs,     related to an underflow of the lowest limb during the final complete reduction in the P-224 field.
    (CVE-2021-3114)

  - Go before 1.14.14 and 1.15.x before 1.15.7 on Windows is vulnerable to Command Injection and remote code     execution when using the go get command to fetch modules that make use of cgo (for example, cgo can     execute a gcc program from an untrusted download). (CVE-2021-3115)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

This update for go1.14 fixes the following issues :

Go was updated to version 1.14.14 (bsc#1164903).

Security issues fixed :

  - CVE-2021-3114: Fixed incorrect operations on the P-224     curve in crypto/elliptic (bsc#1181145).

  - CVE-2021-3115: Fixed a potential arbitrary code     execution in the build process (bsc#1181146).

This update was imported from the SUSE:SLE-15:Update update project.

This update for go1.15 fixes the following issues :

Go was updated to version 1.15.7 (bsc#1175132).

Security issues fixed :

  - CVE-2021-3114: Fixed incorrect operations on the P-224     curve in crypto/elliptic (bsc#1181145).

  - CVE-2021-3115: Fixed a potential arbitrary code     execution in the build process (bsc#1181146).

This update was imported from the SUSE:SLE-15:Update update project.

This update for go1.14 fixes the following issues :

Go was updated to version 1.14.14 (bsc#1164903).

Security issues fixed :

CVE-2021-3114: Fixed incorrect operations on the P-224 curve in crypto/elliptic (bsc#1181145).

CVE-2021-3115: Fixed a potential arbitrary code execution in the build process (bsc#1181146).

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update for go1.15 fixes the following issues :

Go was updated to version 1.15.7 (bsc#1175132).

Security issues fixed :

CVE-2021-3114: Fixed incorrect operations on the P-224 curve in crypto/elliptic (bsc#1181145).

CVE-2021-3115: Fixed a potential arbitrary code execution in the build process (bsc#1181146).

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The Go project reports :

The go command may execute arbitrary code at build time when cgo is in use on Windows. This may occur when running 'go get', or any other command that builds code. Only users who build untrusted code (and don't execute it) are affected. In addition to Windows users, this can also affect Unix users who have '.' listed explicitly in their PATH and are running 'go get' or build commands outside of a module or with module mode disabled.

The P224() Curve implementation can in rare circumstances generate incorrect outputs, including returning invalid points from ScalarMult.
The crypto/x509 and golang.org/x/crypto/ocsp (but not crypto/tls) packages support P-224 ECDSA keys, but they are not supported by publicly trusted certificate authorities. No other standard library or golang.org/x/crypto package supports or uses the P-224 curve.

ID	Name	Product	Family	Severity
150031	CentOS 8 : go-toolset:rhel8 (CESA-2021:1746)	Nessus	CentOS Local Security Checks	medium
149924	Oracle Linux 8 : go-toolset:ol8 (ELSA-2021-1746)	Nessus	Oracle Linux Local Security Checks	medium
149662	RHEL 8 : go-toolset:rhel8 (RHSA-2021:1746)	Nessus	Red Hat Local Security Checks	medium
146875	Photon OS 3.0: Go PHSA-2021-3.0-0200	Nessus	PhotonOS Local Security Checks	high
146635	Amazon Linux 2 : golang (ALAS-2021-1609)	Nessus	Amazon Linux Local Security Checks	medium
146281	Fedora 33 : golang (2021-e435a8bb88)	Nessus	Fedora Local Security Checks	medium
145735	openSUSE Security Update : go1.14 (openSUSE-2021-190)	Nessus	SuSE Local Security Checks	medium
145720	openSUSE Security Update : go1.14 (openSUSE-2021-194)	Nessus	SuSE Local Security Checks	medium
145710	openSUSE Security Update : go1.15 (openSUSE-2021-192)	Nessus	SuSE Local Security Checks	medium
145476	SUSE SLED15 / SLES15 Security Update : go1.14 (SUSE-SU-2021:0222-1)	Nessus	SuSE Local Security Checks	medium
145470	SUSE SLED15 / SLES15 Security Update : go1.15 (SUSE-SU-2021:0223-1)	Nessus	SuSE Local Security Checks	medium
145095	FreeBSD : go -- cmd/go: packages using cgo can cause arbitrary code execution at build time; crypto/elliptic: incorrect operations on the P-224 curve (6a4805d5-5aaf-11eb-a21d-79f5bc5ef6a9)	Nessus	FreeBSD Local Security Checks	medium

CVE-2021-3115

high

New! CVE Severity Now Using CVSS v3

Description

References

Details

Risk Information

CVSS v2

CVSS v3

Vulnerable Software

Configuration 1

Configuration 2

Configuration 3

Tenable Plugins

medium

medium

medium

high

medium

medium

medium

medium

medium

medium

medium

medium