Go before 1.14.14 and 1.15.x before 1.15.7 on Windows is vulnerable to Command Injection and remote code execution when using the "go get" command to fetch modules that make use of cgo (for example, cgo can execute a gcc program from an untrusted download).

The remote Rocky Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RLSA-2021:1746 advisory.

  - In Go before 1.14.14 and 1.15.x before 1.15.7, crypto/elliptic/p224.go can generate incorrect outputs,     related to an underflow of the lowest limb during the final complete reduction in the P-224 field.
    (CVE-2021-3114)

  - Go before 1.14.14 and 1.15.x before 1.15.7 on Windows is vulnerable to Command Injection and remote code     execution when using the go get command to fetch modules that make use of cgo (for example, cgo can     execute a gcc program from an untrusted download). (CVE-2021-3115)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote host is affected by the vulnerability described in GLSA-202208-02 (Go: Multiple Vulnerabilities)

  - Go before 1.14.12 and 1.15.x before 1.15.5 allows Code Injection. (CVE-2020-28366)

  - Go before 1.14.12 and 1.15.x before 1.15.5 allows Argument Injection. (CVE-2020-28367)

  - encoding/xml in Go before 1.15.9 and 1.16.x before 1.16.1 has an infinite loop if a custom TokenReader     (for xml.NewTokenDecoder) returns EOF in the middle of an element. This can occur in the Decode,     DecodeElement, or Skip method. (CVE-2021-27918)

  - archive/zip in Go 1.16.x before 1.16.1 allows attackers to cause a denial of service (panic) upon     attempted use of the Reader.Open API for a ZIP archive in which ../ occurs at the beginning of any     filename. (CVE-2021-27919)

  - Go before 1.17 does not properly consider extraneous zero characters at the beginning of an IP address     octet, which (in some situations) allows attackers to bypass access control that is based on IP addresses,     because of unexpected octal interpretation. This affects net.ParseIP and net.ParseCIDR. (CVE-2021-29923)

  - In Go before 1.14.14 and 1.15.x before 1.15.7, crypto/elliptic/p224.go can generate incorrect outputs,     related to an underflow of the lowest limb during the final complete reduction in the P-224 field.
    (CVE-2021-3114)

  - Go before 1.14.14 and 1.15.x before 1.15.7 on Windows is vulnerable to Command Injection and remote code     execution when using the go get command to fetch modules that make use of cgo (for example, cgo can     execute a gcc program from an untrusted download). (CVE-2021-3115)

  - net/http in Go before 1.15.12 and 1.16.x before 1.16.4 allows remote attackers to cause a denial of     service (panic) via a large header to ReadRequest or ReadResponse. Server, Transport, and Client can each     be affected in some configurations. (CVE-2021-31525)

  - Go before 1.15.13 and 1.16.x before 1.16.5 has functions for DNS lookups that do not validate replies from     DNS servers, and thus a return value may contain an unsafe injection (e.g., XSS) that does not conform to     the RFC1035 format. (CVE-2021-33195)

  - In archive/zip in Go before 1.15.13 and 1.16.x before 1.16.5, a crafted file count (in an archive's     header) can cause a NewReader or OpenReader panic. (CVE-2021-33196)

  - In Go before 1.15.13 and 1.16.x before 1.16.5, some configurations of ReverseProxy (from     net/http/httputil) result in a situation where an attacker is able to drop arbitrary headers.
    (CVE-2021-33197)

  - In Go before 1.15.13 and 1.16.x before 1.16.5, there can be a panic for a large exponent to the     math/big.Rat SetString or UnmarshalText method. (CVE-2021-33198)

  - The crypto/tls package of Go through 1.16.5 does not properly assert that the type of public key in an     X.509 certificate matches the expected type when doing a RSA based key exchange, allowing a malicious TLS     server to cause a TLS client to panic. (CVE-2021-34558)

  - Go before 1.15.15 and 1.16.x before 1.16.7 has a race condition that can lead to a net/http/httputil     ReverseProxy panic upon an ErrAbortHandler abort. (CVE-2021-36221)

  - Go before 1.16.9 and 1.17.x before 1.17.2 has a Buffer Overflow via large arguments in a function     invocation from a WASM module, when GOARCH=wasm GOOS=js is used. (CVE-2021-38297)

  - ImportedSymbols in debug/macho (for Open or OpenFat) in Go before 1.16.10 and 1.17.x before 1.17.3     Accesses a Memory Location After the End of a Buffer, aka an out-of-bounds slice situation.
    (CVE-2021-41771)

  - Go before 1.16.10 and 1.17.x before 1.17.3 allows an archive/zip Reader.Open panic via a crafted ZIP     archive containing an invalid name or an empty filename field. (CVE-2021-41772)

  - net/http in Go before 1.16.12 and 1.17.x before 1.17.5 allows uncontrolled memory consumption in the     header canonicalization cache via HTTP/2 requests. (CVE-2021-44716)

  - Go before 1.16.12 and 1.17.x before 1.17.5 on UNIX allows write operations to an unintended file or     unintended network connection as a consequence of erroneous closing of file descriptor 0 after file-     descriptor exhaustion. (CVE-2021-44717)

  - Rat.SetString in math/big in Go before 1.16.14 and 1.17.x before 1.17.7 has an overflow that can lead to     Uncontrolled Memory Consumption. (CVE-2022-23772)

  - cmd/go in Go before 1.16.14 and 1.17.x before 1.17.7 can misinterpret branch names that falsely appear to     be version tags. This can lead to incorrect access control if an actor is supposed to be able to create     branches but not tags. (CVE-2022-23773)

  - Curve.IsOnCurve in crypto/elliptic in Go before 1.16.14 and 1.17.x before 1.17.7 can incorrectly return     true in situations with a big.Int value that is not a valid field element. (CVE-2022-23806)

  - encoding/pem in Go before 1.17.9 and 1.18.x before 1.18.1 has a Decode stack overflow via a large amount     of PEM data. (CVE-2022-24675)

  - regexp.Compile in Go before 1.16.15 and 1.17.x before 1.17.8 allows stack exhaustion via a deeply nested     expression. (CVE-2022-24921)

  - Certificate.Verify in crypto/x509 in Go 1.18.x before 1.18.1 can be caused to panic on macOS when     presented with certain malformed certificates. This allows a remote TLS server to cause a TLS client to     panic. (CVE-2022-27536)

  - The generic P-256 feature in crypto/elliptic in Go before 1.17.9 and 1.18.x before 1.18.1 allows a panic     via long scalar input. (CVE-2022-28327)

  - Go before 1.17.10 and 1.18.x before 1.18.2 has Incorrect Privilege Assignment. When called with a non-zero     flags parameter, the Faccessat function could incorrectly report that a file is accessible.
    (CVE-2022-29526)

  - golang: net/http: improper sanitization of Transfer-Encoding header (CVE-2022-1705)

  - golang: encoding/xml: stack exhaustion in Decoder.Skip (CVE-2022-28131)

  - Automatic update for grafana-8.5.6-1.fc37.  ##### **Changelog**  ``` * Wed Jun 29 2022 Andreas Gerstmayr     <agerstmayr@redhat.com> 8.5.6-1 - update to 8.5.6 tagged upstream community sources, see CHANGELOG -     updated license to AGPLv3 - place commented sample config file in /etc/grafana/grafana.ini - enable Go     modules in build process - adapt Node.js bundling to yarn v3 and Zero Install feature * Sun Jun 19 2022     Robert-Andr Mauchin <zebob.m@gmail.com> - 7.5.15-3 - Rebuilt for CVE-2022-1996, CVE-2022-24675,     CVE-2022-28327, CVE-2022-27191,   CVE-2022-29526, CVE-2022-30629  ``` (CVE-2022-30629)

  - golang: io/fs: stack exhaustion in Glob (CVE-2022-30630)

  - golang: compress/gzip: stack exhaustion in Reader.Read (CVE-2022-30631)

  - golang: path/filepath: stack exhaustion in Glob (CVE-2022-30632)

  - golang: encoding/xml: stack exhaustion in Unmarshal (CVE-2022-30633)

  - golang: encoding/gob: stack exhaustion in Decoder.Decode (CVE-2022-30635)

  - golang: net/http/httputil: NewSingleHostReverseProxy - omit X-Forwarded-For not working (CVE-2022-32148)

  - The Go project reports: encoding/gob & math/big: decoding big.Float and             big.Rat can panic     Decoding big.Float and big.Rat types can panic if the             encoded message is too short.
    (CVE-2022-32189)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote CentOS Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the CESA-2021:1746 advisory.

  - golang: crypto/elliptic: incorrect operations on the P-224 curve (CVE-2021-3114)

  - golang: cmd/go: packages using cgo can cause arbitrary code execution at build time (CVE-2021-3115)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Oracle Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the ELSA-2021-1746 advisory.

  - Go before 1.14.14 and 1.15.x before 1.15.7 on Windows is vulnerable to Command Injection and remote code     execution when using the go get command to fetch modules that make use of cgo (for example, cgo can     execute a gcc program from an untrusted download). (CVE-2021-3115)

  - In Go before 1.14.14 and 1.15.x before 1.15.7, crypto/elliptic/p224.go can generate incorrect outputs,     related to an underflow of the lowest limb during the final complete reduction in the P-224 field.
    (CVE-2021-3114)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2021:1746 advisory.

  - golang: crypto/elliptic: incorrect operations on the P-224 curve (CVE-2021-3114)

  - golang: cmd/go: packages using cgo can cause arbitrary code execution at build time (CVE-2021-3115)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

An update of the go package has been released.

The version of golang installed on the remote host is prior to 1.15.8-1. It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2-2021-1609 advisory.

  - In Go before 1.14.14 and 1.15.x before 1.15.7, crypto/elliptic/p224.go can generate incorrect outputs,     related to an underflow of the lowest limb during the final complete reduction in the P-224 field.
    (CVE-2021-3114)

  - Go before 1.14.14 and 1.15.x before 1.15.7 on Windows is vulnerable to Command Injection and remote code     execution when using the go get command to fetch modules that make use of cgo (for example, cgo can     execute a gcc program from an untrusted download). (CVE-2021-3115)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Fedora 33 host has a package installed that is affected by multiple vulnerabilities as referenced in the FEDORA-2021-e435a8bb88 advisory.

  - In Go before 1.14.14 and 1.15.x before 1.15.7, crypto/elliptic/p224.go can generate incorrect outputs,     related to an underflow of the lowest limb during the final complete reduction in the P-224 field.
    (CVE-2021-3114)

  - Go before 1.14.14 and 1.15.x before 1.15.7 on Windows is vulnerable to Command Injection and remote code     execution when using the go get command to fetch modules that make use of cgo (for example, cgo can     execute a gcc program from an untrusted download). (CVE-2021-3115)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

This update for go1.14 fixes the following issues :

Go was updated to version 1.14.14 (bsc#1164903).

Security issues fixed :

  - CVE-2021-3114: Fixed incorrect operations on the P-224     curve in crypto/elliptic (bsc#1181145).

  - CVE-2021-3115: Fixed a potential arbitrary code     execution in the build process (bsc#1181146).

This update was imported from the SUSE:SLE-15:Update update project.

This update for go1.15 fixes the following issues :

Go was updated to version 1.15.7 (bsc#1175132).

Security issues fixed :

  - CVE-2021-3114: Fixed incorrect operations on the P-224     curve in crypto/elliptic (bsc#1181145).

  - CVE-2021-3115: Fixed a potential arbitrary code     execution in the build process (bsc#1181146).

This update was imported from the SUSE:SLE-15:Update update project.

This update for go1.14 fixes the following issues :

Go was updated to version 1.14.14 (bsc#1164903).

Security issues fixed :

CVE-2021-3114: Fixed incorrect operations on the P-224 curve in crypto/elliptic (bsc#1181145).

CVE-2021-3115: Fixed a potential arbitrary code execution in the build process (bsc#1181146).

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update for go1.15 fixes the following issues :

Go was updated to version 1.15.7 (bsc#1175132).

Security issues fixed :

CVE-2021-3114: Fixed incorrect operations on the P-224 curve in crypto/elliptic (bsc#1181145).

CVE-2021-3115: Fixed a potential arbitrary code execution in the build process (bsc#1181146).

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The Go project reports :

The go command may execute arbitrary code at build time when cgo is in use on Windows. This may occur when running 'go get', or any other command that builds code. Only users who build untrusted code (and don't execute it) are affected. In addition to Windows users, this can also affect Unix users who have '.' listed explicitly in their PATH and are running 'go get' or build commands outside of a module or with module mode disabled.

The P224() Curve implementation can in rare circumstances generate incorrect outputs, including returning invalid points from ScalarMult.
The crypto/x509 and golang.org/x/crypto/ocsp (but not crypto/tls) packages support P-224 ECDSA keys, but they are not supported by publicly trusted certificate authorities. No other standard library or golang.org/x/crypto package supports or uses the P-224 curve.

ID	Name	Product	Family	Severity
185079	Rocky Linux 8 : go-toolset:rhel8 (RLSA-2021:1746)	Nessus	Rocky Linux Local Security Checks	high
163840	GLSA-202208-02 : Go: Multiple Vulnerabilities	Nessus	Gentoo Local Security Checks	critical
150031	CentOS 8 : go-toolset:rhel8 (CESA-2021:1746)	Nessus	CentOS Local Security Checks	high
149924	Oracle Linux 8 : go-toolset:ol8 (ELSA-2021-1746)	Nessus	Oracle Linux Local Security Checks	high
149662	RHEL 8 : go-toolset:rhel8 (RHSA-2021:1746)	Nessus	Red Hat Local Security Checks	high
146875	Photon OS 3.0: Go PHSA-2021-3.0-0200	Nessus	PhotonOS Local Security Checks	high
146635	Amazon Linux 2 : golang (ALAS-2021-1609)	Nessus	Amazon Linux Local Security Checks	high
146281	Fedora 33 : golang (2021-e435a8bb88)	Nessus	Fedora Local Security Checks	high
145735	openSUSE Security Update : go1.14 (openSUSE-2021-190)	Nessus	SuSE Local Security Checks	high
145720	openSUSE Security Update : go1.14 (openSUSE-2021-194)	Nessus	SuSE Local Security Checks	high
145710	openSUSE Security Update : go1.15 (openSUSE-2021-192)	Nessus	SuSE Local Security Checks	high
145476	SUSE SLED15 / SLES15 Security Update : go1.14 (SUSE-SU-2021:0222-1)	Nessus	SuSE Local Security Checks	high
145470	SUSE SLED15 / SLES15 Security Update : go1.15 (SUSE-SU-2021:0223-1)	Nessus	SuSE Local Security Checks	high
145095	FreeBSD : go -- cmd/go: packages using cgo can cause arbitrary code execution at build time; crypto/elliptic: incorrect operations on the P-224 curve (6a4805d5-5aaf-11eb-a21d-79f5bc5ef6a9)	Nessus	FreeBSD Local Security Checks	high

Detections

Analytics

CVE-2021-3115

high

Tenable Plugins

high

critical

high

high

high

high

high

high

high

high

high

high

high

high