https://groups.google.com/g/golang-announce/c/RgCMkAEQjSI

https://groups.google.com/g/golang-announce

GLSA-202208-02

The remote Oracle Linux 9 host has packages installed that are affected by multiple vulnerabilities as referenced in the ELSA-2022-8008 advisory.

  - An incorrect handling of the supplementary groups in the Buildah container engine might lead to the     sensitive information disclosure or possible data modification if an attacker has direct access to the     affected container where supplementary groups are used to set access permissions and is able to execute a     binary code in that container. (CVE-2022-2990)

  - The golang.org/x/crypto/ssh package before 0.0.0-20220314234659-1baeb1ce4c0b for Go allows an attacker to     crash a server in certain circumstances involving AddHostKey. (CVE-2022-27191)

  - Go before 1.15.13 and 1.16.x before 1.16.5 has functions for DNS lookups that do not validate replies from     DNS servers, and thus a return value may contain an unsafe injection (e.g., XSS) that does not conform to     the RFC1035 format. (CVE-2021-33195)

  - In Go before 1.15.13 and 1.16.x before 1.16.5, there can be a panic for a large exponent to the     math/big.Rat SetString or UnmarshalText method. (CVE-2021-33198)

  - In Go before 1.15.13 and 1.16.x before 1.16.5, some configurations of ReverseProxy (from     net/http/httputil) result in a situation where an attacker is able to drop arbitrary headers.
    (CVE-2021-33197)

  - An incorrect handling of the supplementary groups in the Podman container engine might lead to the     sensitive information disclosure or possible data modification if an attacker has direct access to the     affected container where supplementary groups are used to set access permissions and is able to execute a     binary code in that container. (CVE-2022-2989)

  - A deadlock vulnerability was found in 'github.com/containers/storage' in versions before 1.28.1. When a     container image is processed, each layer is unpacked using `tar`. If one of those layers is not a valid     `tar` archive this causes an error leading to an unexpected situation where the code indefinitely waits     for the tar unpacked stream, which never finishes. An attacker could use this vulnerability to craft a     malicious image, which when downloaded and stored by an application using containers/storage, would then     cause a deadlock leading to a Denial of Service (DoS). (CVE-2021-20291)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Oracle Linux 9 host has packages installed that are affected by multiple vulnerabilities as referenced in the ELSA-2022-7954 advisory.

  - In x/text in Go 1.15.4, an index out of range panic occurs in language.ParseAcceptLanguage while parsing     the -u- extension. (x/text/language is supposed to be able to parse an HTTP Accept-Language header.)     (CVE-2020-28851)

  - A deadlock vulnerability was found in 'github.com/containers/storage' in versions before 1.28.1. When a     container image is processed, each layer is unpacked using `tar`. If one of those layers is not a valid     `tar` archive this causes an error leading to an unexpected situation where the code indefinitely waits     for the tar unpacked stream, which never finishes. An attacker could use this vulnerability to craft a     malicious image, which when downloaded and stored by an application using containers/storage, would then     cause a deadlock leading to a Denial of Service (DoS). (CVE-2021-20291)

  - Rootless containers run with Podman, receive all traffic with a source IP address of 127.0.0.1 (including     from remote hosts). This impacts containerized applications that trust localhost (127.0.01) connections by     default and do not require authentication. This issue affects Podman 1.8.0 onwards. (CVE-2021-20199)

  - In x/text in Go before v0.3.5, a slice bounds out of range panic occurs in language.ParseAcceptLanguage     while processing a BCP 47 tag. (x/text/language is supposed to be able to parse an HTTP Accept-Language     header.) (CVE-2020-28852)

  - A flaw was found in podman. The `podman machine` function (used to create and manage Podman virtual     machine containing a Podman process) spawns a `gvproxy` process on the host system. The `gvproxy` API is     accessible on port 7777 on all IP addresses on the host. If that port is open on the host's firewall, an     attacker can potentially use the `gvproxy` API to forward ports on the host to ports in the VM, making     private services on the VM accessible to the network. This issue could be also used to interrupt the     host's services by forwarding all ports to the VM. (CVE-2021-4024)

  - In Go before 1.15.13 and 1.16.x before 1.16.5, some configurations of ReverseProxy (from     net/http/httputil) result in a situation where an attacker is able to drop arbitrary headers.
    (CVE-2021-33197)

  - The crypto/tls package of Go through 1.16.5 does not properly assert that the type of public key in an     X.509 certificate matches the expected type when doing a RSA based key exchange, allowing a malicious TLS     server to cause a TLS client to panic. (CVE-2021-34558)

  - The golang.org/x/crypto/ssh package before 0.0.0-20220314234659-1baeb1ce4c0b for Go allows an attacker to     crash a server in certain circumstances involving AddHostKey. (CVE-2022-27191)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote AlmaLinux 9 host has packages installed that are affected by multiple vulnerabilities as referenced in the ALSA-2022:7954 advisory.

  - In x/text in Go 1.15.4, an index out of range panic occurs in language.ParseAcceptLanguage while parsing     the -u- extension. (x/text/language is supposed to be able to parse an HTTP Accept-Language header.)     (CVE-2020-28851)

  - In x/text in Go before v0.3.5, a slice bounds out of range panic occurs in language.ParseAcceptLanguage     while processing a BCP 47 tag. (x/text/language is supposed to be able to parse an HTTP Accept-Language     header.) (CVE-2020-28852)

  - A flaw was found in podman. The `podman machine` function (used to create and manage Podman virtual     machine containing a Podman process) spawns a `gvproxy` process on the host system. The `gvproxy` API is     accessible on port 7777 on all IP addresses on the host. If that port is open on the host's firewall, an     attacker can potentially use the `gvproxy` API to forward ports on the host to ports in the VM, making     private services on the VM accessible to the network. This issue could be also used to interrupt the     host's services by forwarding all ports to the VM. (CVE-2021-4024)

  - Rootless containers run with Podman, receive all traffic with a source IP address of 127.0.0.1 (including     from remote hosts). This impacts containerized applications that trust localhost (127.0.01) connections by     default and do not require authentication. This issue affects Podman 1.8.0 onwards. (CVE-2021-20199)

  - A deadlock vulnerability was found in 'github.com/containers/storage' in versions before 1.28.1. When a     container image is processed, each layer is unpacked using `tar`. If one of those layers is not a valid     `tar` archive this causes an error leading to an unexpected situation where the code indefinitely waits     for the tar unpacked stream, which never finishes. An attacker could use this vulnerability to craft a     malicious image, which when downloaded and stored by an application using containers/storage, would then     cause a deadlock leading to a Denial of Service (DoS). (CVE-2021-20291)

  - In Go before 1.15.13 and 1.16.x before 1.16.5, some configurations of ReverseProxy (from     net/http/httputil) result in a situation where an attacker is able to drop arbitrary headers.
    (CVE-2021-33197)

  - The crypto/tls package of Go through 1.16.5 does not properly assert that the type of public key in an     X.509 certificate matches the expected type when doing a RSA based key exchange, allowing a malicious TLS     server to cause a TLS client to panic. (CVE-2021-34558)

  - The golang.org/x/crypto/ssh package before 0.0.0-20220314234659-1baeb1ce4c0b for Go allows an attacker to     crash a server in certain circumstances involving AddHostKey. (CVE-2022-27191)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote AlmaLinux 9 host has packages installed that are affected by multiple vulnerabilities as referenced in the ALSA-2022:8008 advisory.

  - A deadlock vulnerability was found in 'github.com/containers/storage' in versions before 1.28.1. When a     container image is processed, each layer is unpacked using `tar`. If one of those layers is not a valid     `tar` archive this causes an error leading to an unexpected situation where the code indefinitely waits     for the tar unpacked stream, which never finishes. An attacker could use this vulnerability to craft a     malicious image, which when downloaded and stored by an application using containers/storage, would then     cause a deadlock leading to a Denial of Service (DoS). (CVE-2021-20291)

  - Go before 1.15.13 and 1.16.x before 1.16.5 has functions for DNS lookups that do not validate replies from     DNS servers, and thus a return value may contain an unsafe injection (e.g., XSS) that does not conform to     the RFC1035 format. (CVE-2021-33195)

  - In Go before 1.15.13 and 1.16.x before 1.16.5, some configurations of ReverseProxy (from     net/http/httputil) result in a situation where an attacker is able to drop arbitrary headers.
    (CVE-2021-33197)

  - In Go before 1.15.13 and 1.16.x before 1.16.5, there can be a panic for a large exponent to the     math/big.Rat SetString or UnmarshalText method. (CVE-2021-33198)

  - An incorrect handling of the supplementary groups in the Podman container engine might lead to the     sensitive information disclosure or possible data modification if an attacker has direct access to the     affected container where supplementary groups are used to set access permissions and is able to execute a     binary code in that container. (CVE-2022-2989)

  - An incorrect handling of the supplementary groups in the Buildah container engine might lead to the     sensitive information disclosure or possible data modification if an attacker has direct access to the     affected container where supplementary groups are used to set access permissions and is able to execute a     binary code in that container. (CVE-2022-2990)

  - The golang.org/x/crypto/ssh package before 0.0.0-20220314234659-1baeb1ce4c0b for Go allows an attacker to     crash a server in certain circumstances involving AddHostKey. (CVE-2022-27191)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 9 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2022:8008 advisory.

  - containers/storage: DoS via malicious image (CVE-2021-20291)

  - golang: net: lookup functions may return invalid host names (CVE-2021-33195)

  - golang: net/http/httputil: ReverseProxy forwards connection headers if first one is empty (CVE-2021-33197)

  - golang: math/big.Rat: may cause a panic or an unrecoverable fatal error if passed inputs with very large     exponents (CVE-2021-33198)

  - The golang.org/x/crypto/ssh package before 0.0.0-20220314234659-1baeb1ce4c0b for Go allows an attacker to     crash a server in certain circumstances involving AddHostKey. (CVE-2022-27191)

  - An incorrect handling of the supplementary groups in the Podman container engine might lead to the     sensitive information disclosure or possible data modification if an attacker has direct access to the     affected container where supplementary groups are used to set access permissions and is able to execute a     binary code in that container. (CVE-2022-2989)

  - An incorrect handling of the supplementary groups in the Buildah container engine might lead to the     sensitive information disclosure or possible data modification if an attacker has direct access to the     affected container where supplementary groups are used to set access permissions and is able to execute a     binary code in that container. (CVE-2022-2990)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 9 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2022:7954 advisory.

  - golang.org/x/text: Panic in language.ParseAcceptLanguage while parsing -u- extension (CVE-2020-28851)

  - golang.org/x/text: Panic in language.ParseAcceptLanguage while processing bcp47 tag (CVE-2020-28852)

  - podman: Remote traffic to rootless containers is seen as orginating from localhost (CVE-2021-20199)

  - containers/storage: DoS via malicious image (CVE-2021-20291)

  - golang: net/http/httputil: ReverseProxy forwards connection headers if first one is empty (CVE-2021-33197)

  - golang: crypto/tls: certificate of wrong type is causing TLS client to panic (CVE-2021-34558)

  - podman: podman machine spawns gvproxy with port bound to all IPs (CVE-2021-4024)

  - The golang.org/x/crypto/ssh package before 0.0.0-20220314234659-1baeb1ce4c0b for Go allows an attacker to     crash a server in certain circumstances involving AddHostKey. (CVE-2022-27191)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 8 host has a package installed that is affected by multiple vulnerabilities as referenced in the RHSA-2021:3487 advisory.

  - golang: net/http: panic in ReadRequest and ReadResponse when reading a very large header (CVE-2021-31525)

  - golang: net: lookup functions may return invalid host names (CVE-2021-33195)

  - golang: net/http/httputil: ReverseProxy forwards connection headers if first one is empty (CVE-2021-33197)

  - golang: math/big.Rat: may cause a panic or an unrecoverable fatal error if passed inputs with very large     exponents (CVE-2021-33198)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The version of golang installed on the remote host is prior to 1.18.3-1. It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2-2022-1830 advisory.

  - A nil pointer dereference in the golang.org/x/crypto/ssh component through     v0.0.0-20201203163018-be400aefbc4c for Go allows remote attackers to cause a denial of service against SSH     servers. (CVE-2020-29652)

  - encoding/xml in Go before 1.15.9 and 1.16.x before 1.16.1 has an infinite loop if a custom TokenReader     (for xml.NewTokenDecoder) returns EOF in the middle of an element. This can occur in the Decode,     DecodeElement, or Skip method. (CVE-2021-27918)

  - archive/zip in Go 1.16.x before 1.16.1 allows attackers to cause a denial of service (panic) upon     attempted use of the Reader.Open API for a ZIP archive in which ../ occurs at the beginning of any     filename. (CVE-2021-27919)

  - Go before 1.15.13 and 1.16.x before 1.16.5 has functions for DNS lookups that do not validate replies from     DNS servers, and thus a return value may contain an unsafe injection (e.g., XSS) that does not conform to     the RFC1035 format. (CVE-2021-33195)

  - In Go before 1.15.13 and 1.16.x before 1.16.5, some configurations of ReverseProxy (from     net/http/httputil) result in a situation where an attacker is able to drop arbitrary headers.
    (CVE-2021-33197)

  - In Go before 1.15.13 and 1.16.x before 1.16.5, there can be a panic for a large exponent to the     math/big.Rat SetString or UnmarshalText method. (CVE-2021-33198)

  - Go before 1.15.15 and 1.16.x before 1.16.7 has a race condition that can lead to a net/http/httputil     ReverseProxy panic upon an ErrAbortHandler abort. (CVE-2021-36221)

  - Go before 1.16.9 and 1.17.x before 1.17.2 has a Buffer Overflow via large arguments in a function     invocation from a WASM module, when GOARCH=wasm GOOS=js is used. (CVE-2021-38297)

  - In archive/zip in Go before 1.16.8 and 1.17.x before 1.17.1, a crafted archive header (falsely designating     that many files are present) can cause a NewReader or OpenReader panic. NOTE: this issue exists because of     an incomplete fix for CVE-2021-33196. (CVE-2021-39293)

  - Rat.SetString in math/big in Go before 1.16.14 and 1.17.x before 1.17.7 has an overflow that can lead to     Uncontrolled Memory Consumption. (CVE-2022-23772)

  - cmd/go in Go before 1.16.14 and 1.17.x before 1.17.7 can misinterpret branch names that falsely appear to     be version tags. This can lead to incorrect access control if an actor is supposed to be able to create     branches but not tags. (CVE-2022-23773)

  - Curve.IsOnCurve in crypto/elliptic in Go before 1.16.14 and 1.17.x before 1.17.7 can incorrectly return     true in situations with a big.Int value that is not a valid field element. (CVE-2022-23806)

  - encoding/pem in Go before 1.17.9 and 1.18.x before 1.18.1 has a Decode stack overflow via a large amount     of PEM data. (CVE-2022-24675)

  - regexp.Compile in Go before 1.16.15 and 1.17.x before 1.17.8 allows stack exhaustion via a deeply nested     expression. (CVE-2022-24921)

  - The generic P-256 feature in crypto/elliptic in Go before 1.17.9 and 1.18.x before 1.18.1 allows a panic     via long scalar input. (CVE-2022-28327)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote host is affected by the vulnerability described in GLSA-202208-02 (Go: Multiple Vulnerabilities)

  - Go before 1.14.12 and 1.15.x before 1.15.5 allows Code Injection. (CVE-2020-28366)

  - Go before 1.14.12 and 1.15.x before 1.15.5 allows Argument Injection. (CVE-2020-28367)

  - encoding/xml in Go before 1.15.9 and 1.16.x before 1.16.1 has an infinite loop if a custom TokenReader     (for xml.NewTokenDecoder) returns EOF in the middle of an element. This can occur in the Decode,     DecodeElement, or Skip method. (CVE-2021-27918)

  - archive/zip in Go 1.16.x before 1.16.1 allows attackers to cause a denial of service (panic) upon     attempted use of the Reader.Open API for a ZIP archive in which ../ occurs at the beginning of any     filename. (CVE-2021-27919)

  - Go before 1.17 does not properly consider extraneous zero characters at the beginning of an IP address     octet, which (in some situations) allows attackers to bypass access control that is based on IP addresses,     because of unexpected octal interpretation. This affects net.ParseIP and net.ParseCIDR. (CVE-2021-29923)

  - In Go before 1.14.14 and 1.15.x before 1.15.7, crypto/elliptic/p224.go can generate incorrect outputs,     related to an underflow of the lowest limb during the final complete reduction in the P-224 field.
    (CVE-2021-3114)

  - Go before 1.14.14 and 1.15.x before 1.15.7 on Windows is vulnerable to Command Injection and remote code     execution when using the go get command to fetch modules that make use of cgo (for example, cgo can     execute a gcc program from an untrusted download). (CVE-2021-3115)

  - net/http in Go before 1.15.12 and 1.16.x before 1.16.4 allows remote attackers to cause a denial of     service (panic) via a large header to ReadRequest or ReadResponse. Server, Transport, and Client can each     be affected in some configurations. (CVE-2021-31525)

  - Go before 1.15.13 and 1.16.x before 1.16.5 has functions for DNS lookups that do not validate replies from     DNS servers, and thus a return value may contain an unsafe injection (e.g., XSS) that does not conform to     the RFC1035 format. (CVE-2021-33195)

  - In archive/zip in Go before 1.15.13 and 1.16.x before 1.16.5, a crafted file count (in an archive's     header) can cause a NewReader or OpenReader panic. (CVE-2021-33196)

  - In Go before 1.15.13 and 1.16.x before 1.16.5, some configurations of ReverseProxy (from     net/http/httputil) result in a situation where an attacker is able to drop arbitrary headers.
    (CVE-2021-33197)

  - In Go before 1.15.13 and 1.16.x before 1.16.5, there can be a panic for a large exponent to the     math/big.Rat SetString or UnmarshalText method. (CVE-2021-33198)

  - The crypto/tls package of Go through 1.16.5 does not properly assert that the type of public key in an     X.509 certificate matches the expected type when doing a RSA based key exchange, allowing a malicious TLS     server to cause a TLS client to panic. (CVE-2021-34558)

  - Go before 1.15.15 and 1.16.x before 1.16.7 has a race condition that can lead to a net/http/httputil     ReverseProxy panic upon an ErrAbortHandler abort. (CVE-2021-36221)

  - Go before 1.16.9 and 1.17.x before 1.17.2 has a Buffer Overflow via large arguments in a function     invocation from a WASM module, when GOARCH=wasm GOOS=js is used. (CVE-2021-38297)

  - ImportedSymbols in debug/macho (for Open or OpenFat) in Go before 1.16.10 and 1.17.x before 1.17.3     Accesses a Memory Location After the End of a Buffer, aka an out-of-bounds slice situation.
    (CVE-2021-41771)

  - Go before 1.16.10 and 1.17.x before 1.17.3 allows an archive/zip Reader.Open panic via a crafted ZIP     archive containing an invalid name or an empty filename field. (CVE-2021-41772)

  - net/http in Go before 1.16.12 and 1.17.x before 1.17.5 allows uncontrolled memory consumption in the     header canonicalization cache via HTTP/2 requests. (CVE-2021-44716)

  - Go before 1.16.12 and 1.17.x before 1.17.5 on UNIX allows write operations to an unintended file or     unintended network connection as a consequence of erroneous closing of file descriptor 0 after file-     descriptor exhaustion. (CVE-2021-44717)

  - Rat.SetString in math/big in Go before 1.16.14 and 1.17.x before 1.17.7 has an overflow that can lead to     Uncontrolled Memory Consumption. (CVE-2022-23772)

  - cmd/go in Go before 1.16.14 and 1.17.x before 1.17.7 can misinterpret branch names that falsely appear to     be version tags. This can lead to incorrect access control if an actor is supposed to be able to create     branches but not tags. (CVE-2022-23773)

  - Curve.IsOnCurve in crypto/elliptic in Go before 1.16.14 and 1.17.x before 1.17.7 can incorrectly return     true in situations with a big.Int value that is not a valid field element. (CVE-2022-23806)

  - encoding/pem in Go before 1.17.9 and 1.18.x before 1.18.1 has a Decode stack overflow via a large amount     of PEM data. (CVE-2022-24675)

  - regexp.Compile in Go before 1.16.15 and 1.17.x before 1.17.8 allows stack exhaustion via a deeply nested     expression. (CVE-2022-24921)

  - Certificate.Verify in crypto/x509 in Go 1.18.x before 1.18.1 can be caused to panic on macOS when     presented with certain malformed certificates. This allows a remote TLS server to cause a TLS client to     panic. (CVE-2022-27536)

  - The generic P-256 feature in crypto/elliptic in Go before 1.17.9 and 1.18.x before 1.18.1 allows a panic     via long scalar input. (CVE-2022-28327)

  - Go before 1.17.10 and 1.18.x before 1.18.2 has Incorrect Privilege Assignment. When called with a non-zero     flags parameter, the Faccessat function could incorrectly report that a file is accessible.
    (CVE-2022-29526)

  - golang: net/http: improper sanitization of Transfer-Encoding header (CVE-2022-1705)

  - golang: encoding/xml: stack exhaustion in Decoder.Skip (CVE-2022-28131)

  - Automatic update for grafana-8.5.6-1.fc37.  ##### **Changelog**  ``` * Wed Jun 29 2022 Andreas Gerstmayr     <agerstmayr@redhat.com> 8.5.6-1 - update to 8.5.6 tagged upstream community sources, see CHANGELOG -     updated license to AGPLv3 - place commented sample config file in /etc/grafana/grafana.ini - enable Go     modules in build process - adapt Node.js bundling to yarn v3 and Zero Install feature * Sun Jun 19 2022     Robert-Andr Mauchin <zebob.m@gmail.com> - 7.5.15-3 - Rebuilt for CVE-2022-1996, CVE-2022-24675,     CVE-2022-28327, CVE-2022-27191,   CVE-2022-29526, CVE-2022-30629  ``` (CVE-2022-30629)

  - golang: io/fs: stack exhaustion in Glob (CVE-2022-30630)

  - golang: compress/gzip: stack exhaustion in Reader.Read (CVE-2022-30631)

  - golang: path/filepath: stack exhaustion in Glob (CVE-2022-30632)

  - golang: encoding/xml: stack exhaustion in Unmarshal (CVE-2022-30633)

  - golang: encoding/gob: stack exhaustion in Decoder.Decode (CVE-2022-30635)

  - golang: net/http/httputil: NewSingleHostReverseProxy - omit X-Forwarded-For not working (CVE-2022-32148)

  - The Go project reports: encoding/gob & math/big: decoding big.Float and             big.Rat can panic     Decoding big.Float and big.Rat types can panic if the             encoded message is too short.
    (CVE-2022-32189)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote AlmaLinux 8 host has a package installed that is affected by multiple vulnerabilities as referenced in the ALSA-2021:4156 advisory.

  - Go before 1.15.13 and 1.16.x before 1.16.5 has functions for DNS lookups that do not validate replies from     DNS servers, and thus a return value may contain an unsafe injection (e.g., XSS) that does not conform to     the RFC1035 format. (CVE-2021-33195)

  - In Go before 1.15.13 and 1.16.x before 1.16.5, some configurations of ReverseProxy (from     net/http/httputil) result in a situation where an attacker is able to drop arbitrary headers.
    (CVE-2021-33197)

  - In Go before 1.15.13 and 1.16.x before 1.16.5, there can be a panic for a large exponent to the     math/big.Rat SetString or UnmarshalText method. (CVE-2021-33198)

  - Go before 1.15.15 and 1.16.x before 1.16.7 has a race condition that can lead to a net/http/httputil     ReverseProxy panic upon an ErrAbortHandler abort. (CVE-2021-36221)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote AlmaLinux 8 host has a package installed that is affected by multiple vulnerabilities as referenced in the ALSA-2021:4226 advisory.

  - In Go before 1.14.14 and 1.15.x before 1.15.7, crypto/elliptic/p224.go can generate incorrect outputs,     related to an underflow of the lowest limb during the final complete reduction in the P-224 field.
    (CVE-2021-3114)

  - The snapshot feature in Grafana 6.7.3 through 7.4.1 can allow an unauthenticated remote attackers to     trigger a Denial of Service via a remote API call if a commonly used configuration is set.
    (CVE-2021-27358)

  - Go before 1.15.13 and 1.16.x before 1.16.5 has functions for DNS lookups that do not validate replies from     DNS servers, and thus a return value may contain an unsafe injection (e.g., XSS) that does not conform to     the RFC1035 format. (CVE-2021-33195)

  - In Go before 1.15.13 and 1.16.x before 1.16.5, some configurations of ReverseProxy (from     net/http/httputil) result in a situation where an attacker is able to drop arbitrary headers.
    (CVE-2021-33197)

  - The crypto/tls package of Go through 1.16.5 does not properly assert that the type of public key in an     X.509 certificate matches the expected type when doing a RSA based key exchange, allowing a malicious TLS     server to cause a TLS client to panic. (CVE-2021-34558)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 8 host has a package installed that is affected by multiple vulnerabilities as referenced in the RHSA-2021:5072 advisory.

  - golang: net/http: panic in ReadRequest and ReadResponse when reading a very large header (CVE-2021-31525)

  - golang: net: lookup functions may return invalid host names (CVE-2021-33195)

  - golang: net/http/httputil: ReverseProxy forwards connection headers if first one is empty (CVE-2021-33197)

  - golang: math/big.Rat: may cause a panic or an unrecoverable fatal error if passed inputs with very large     exponents (CVE-2021-33198)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Oracle Linux 8 host has a package installed that is affected by multiple vulnerabilities as referenced in the ELSA-2021-4226 advisory.

  - In Go before 1.14.14 and 1.15.x before 1.15.7, crypto/elliptic/p224.go can generate incorrect outputs,     related to an underflow of the lowest limb during the final complete reduction in the P-224 field.
    (CVE-2021-3114)

  - The crypto/tls package of Go through 1.16.5 does not properly assert that the type of public key in an     X.509 certificate matches the expected type when doing a RSA based key exchange, allowing a malicious TLS     server to cause a TLS client to panic. (CVE-2021-34558)

  - Go before 1.15.13 and 1.16.x before 1.16.5 has functions for DNS lookups that do not validate replies from     DNS servers, and thus a return value may contain an unsafe injection (e.g., XSS) that does not conform to     the RFC1035 format. (CVE-2021-33195)

  - The snapshot feature in Grafana 6.7.3 through 7.4.1 can allow an unauthenticated remote attackers to     trigger a Denial of Service via a remote API call if a commonly used configuration is set.
    (CVE-2021-27358)

  - In Go before 1.15.13 and 1.16.x before 1.16.5, some configurations of ReverseProxy (from     net/http/httputil) result in a situation where an attacker is able to drop arbitrary headers.
    (CVE-2021-33197)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote CentOS Linux 8 host has a package installed that is affected by multiple vulnerabilities as referenced in the CESA-2021:4226 advisory.

  - grafana: snapshot feature allow an unauthenticated remote attacker to trigger a DoS via a remote API call     (CVE-2021-27358)

  - golang: crypto/elliptic: incorrect operations on the P-224 curve (CVE-2021-3114)

  - golang: net: lookup functions may return invalid host names (CVE-2021-33195)

  - golang: net/http/httputil: ReverseProxy forwards connection headers if first one is empty (CVE-2021-33197)

  - golang: crypto/tls: certificate of wrong type is causing TLS client to panic (CVE-2021-34558)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

According to the versions of the golang packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities :

  - Go before 1.15.13 and 1.16.x before 1.16.5 has functions for DNS lookups that do not validate replies from     DNS servers, and thus a return value may contain an unsafe injection (e.g., XSS) that does not conform to     the RFC1035 format. (CVE-2021-33195)

  - In archive/zip in Go before 1.15.13 and 1.16.x before 1.16.5, a crafted file count (in an archive's     header) can cause a NewReader or OpenReader panic. (CVE-2021-33196)

  - In Go before 1.15.13 and 1.16.x before 1.16.5, some configurations of ReverseProxy (from     net/http/httputil) result in a situation where an attacker is able to drop arbitrary headers.
    (CVE-2021-33197)

  - In Go before 1.15.13 and 1.16.x before 1.16.5, there can be a panic for a large exponent to the     math/big.Rat SetString or UnmarshalText method. (CVE-2021-33198)

  - The crypto/tls package of Go through 1.16.5 does not properly assert that the type of public key in an     X.509 certificate matches the expected type when doing a RSA based key exchange, allowing a malicious TLS     server to cause a TLS client to panic. (CVE-2021-34558)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The remote Redhat Enterprise Linux 8 host has a package installed that is affected by multiple vulnerabilities as referenced in the RHSA-2021:4226 advisory.

  - grafana: snapshot feature allow an unauthenticated remote attacker to trigger a DoS via a remote API call     (CVE-2021-27358)

  - golang: crypto/elliptic: incorrect operations on the P-224 curve (CVE-2021-3114)

  - golang: net: lookup functions may return invalid host names (CVE-2021-33195)

  - golang: net/http/httputil: ReverseProxy forwards connection headers if first one is empty (CVE-2021-33197)

  - golang: crypto/tls: certificate of wrong type is causing TLS client to panic (CVE-2021-34558)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

According to the versions of the golang packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities :

  - Go before 1.17 does not properly consider extraneous zero characters at the beginning of an IP address     octet, which (in some situations) allows attackers to bypass access control that is based on IP addresses,     because of unexpected octal interpretation. This affects net.ParseIP and net.ParseCIDR. (CVE-2021-29923)

  - Go before 1.15.13 and 1.16.x before 1.16.5 has functions for DNS lookups that do not validate replies from     DNS servers, and thus a return value may contain an unsafe injection (e.g., XSS) that does not conform to     the RFC1035 format. (CVE-2021-33195)

  - In archive/zip in Go before 1.15.13 and 1.16.x before 1.16.5, a crafted file count (in an archive's     header) can cause a NewReader or OpenReader panic. (CVE-2021-33196)

  - In Go before 1.15.13 and 1.16.x before 1.16.5, some configurations of ReverseProxy (from     net/http/httputil) result in a situation where an attacker is able to drop arbitrary headers.
    (CVE-2021-33197)

  - In Go before 1.15.13 and 1.16.x before 1.16.5, there can be a panic for a large exponent to the     math/big.Rat SetString or UnmarshalText method. (CVE-2021-33198)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The remote Redhat Enterprise Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2021:4156 advisory.

  - golang: net: lookup functions may return invalid host names (CVE-2021-33195)

  - golang: net/http/httputil: ReverseProxy forwards connection headers if first one is empty (CVE-2021-33197)

  - golang: math/big.Rat: may cause a panic or an unrecoverable fatal error if passed inputs with very large     exponents (CVE-2021-33198)

  - golang: net/http/httputil: panic due to racy read of persistConn after handler panic (CVE-2021-36221)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote CentOS Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the CESA-2021:4156 advisory.

  - golang: net: lookup functions may return invalid host names (CVE-2021-33195)

  - golang: net/http/httputil: ReverseProxy forwards connection headers if first one is empty (CVE-2021-33197)

  - golang: math/big.Rat: may cause a panic or an unrecoverable fatal error if passed inputs with very large     exponents (CVE-2021-33198)

  - golang: net/http/httputil: panic due to racy read of persistConn after handler panic (CVE-2021-36221)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2021:3820 advisory.

  - jenkins: improper permission checks allow canceling queue items and aborting builds (CVE-2021-21670)

  - jenkins: session fixation vulnerability (CVE-2021-21671)

  - golang: net: lookup functions may return invalid host names (CVE-2021-33195)

  - golang: net/http/httputil: ReverseProxy forwards connection headers if first one is empty (CVE-2021-33197)

  - golang: math/big.Rat: may cause a panic or an unrecoverable fatal error if passed inputs with very large     exponents (CVE-2021-33198)

  - golang: crypto/tls: certificate of wrong type is causing TLS client to panic (CVE-2021-34558)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The version of golang installed on the remote host is prior to 1.15.14-1.69. It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS-2021-1527 advisory.

  - In Go before 1.15.13 and 1.16.x before 1.16.5, some configurations of ReverseProxy (from     net/http/httputil) result in a situation where an attacker is able to drop arbitrary headers.
    (CVE-2021-33197)

  - In Go before 1.15.13 and 1.16.x before 1.16.5, there can be a panic for a large exponent to the     math/big.Rat SetString or UnmarshalText method. (CVE-2021-33198)

  - The crypto/tls package of Go through 1.16.5 does not properly assert that the type of public key in an     X.509 certificate matches the expected type when doing a RSA based key exchange, allowing a malicious TLS     server to cause a TLS client to panic. (CVE-2021-34558)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 7 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2021:3431 advisory.

  - golang: net: incorrect parsing of extraneous zero characters at the beginning of an IP address octet     (CVE-2021-29923)

  - golang: net: lookup functions may return invalid host names (CVE-2021-33195)

  - golang: net/http/httputil: ReverseProxy forwards connection headers if first one is empty (CVE-2021-33197)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

An update of the go package has been released.

  - Go before 1.15.13 and 1.16.x before 1.16.5 has functions for DNS lookups that do not validate replies from     DNS servers, and thus a return value may contain an unsafe injection (e.g., XSS) that does not conform to     the RFC1035 format. (CVE-2021-33195)

  - In archive/zip in Go before 1.15.13 and 1.16.x before 1.16.5, a crafted file count (in an archive's     header) can cause a NewReader or OpenReader panic. (CVE-2021-33196)

  - In Go before 1.15.13 and 1.16.x before 1.16.5, some configurations of ReverseProxy (from     net/http/httputil) result in a situation where an attacker is able to drop arbitrary headers.
    (CVE-2021-33197)

  - In Go before 1.15.13 and 1.16.x before 1.16.5, there can be a panic for a large exponent to the     math/big.Rat SetString or UnmarshalText method. (CVE-2021-33198)

  - The crypto/tls package of Go through 1.16.5 does not properly assert that the type of public key in an     X.509 certificate matches the expected type when doing a RSA based key exchange, allowing a malicious TLS     server to cause a TLS client to panic. (CVE-2021-34558)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 7 / 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2021:3248 advisory.

  - golang: net/http: panic in ReadRequest and ReadResponse when reading a very large header (CVE-2021-31525)

  - golang: net: lookup functions may return invalid host names (CVE-2021-33195)

  - golang: net/http/httputil: ReverseProxy forwards connection headers if first one is empty (CVE-2021-33197)

  - golang: math/big.Rat: may cause a panic or an unrecoverable fatal error if passed inputs with very large     exponents (CVE-2021-33198)

  - golang: crypto/tls: certificate of wrong type is causing TLS client to panic (CVE-2021-34558)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2021:3009 advisory.

  - golang: net: lookup functions may return invalid host names (CVE-2021-33195)

  - golang: net/http/httputil: ReverseProxy forwards connection headers if first one is empty (CVE-2021-33197)

  - golang: math/big.Rat: may cause a panic or an unrecoverable fatal error if passed inputs with very large     exponents (CVE-2021-33198)

  - golang: crypto/tls: certificate of wrong type is causing TLS client to panic (CVE-2021-34558)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 7 / 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2021:2984 advisory.

  - golang: net/http: panic in ReadRequest and ReadResponse when reading a very large header (CVE-2021-31525)

  - golang: net: lookup functions may return invalid host names (CVE-2021-33195)

  - golang: archive/zip: malformed archive may cause panic or memory exhaustion (CVE-2021-33196)

  - golang: net/http/httputil: ReverseProxy forwards connection headers if first one is empty (CVE-2021-33197)

  - golang: math/big.Rat: may cause a panic or an unrecoverable fatal error if passed inputs with very large     exponents (CVE-2021-33198)

  - golang: crypto/tls: certificate of wrong type is causing TLS client to panic (CVE-2021-34558)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote SUSE Linux SUSE15 host has packages installed that are affected by multiple vulnerabilities as referenced in the openSUSE-SU-2021:0950-1 advisory. Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote SUSE Linux SLED15 / SLES15 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2021:2214-1 advisory.

  - Go before 1.15.12 and 1.16.x before 1.16.5 allows injection. (CVE-2021-33195)

  - Go before 1.15.12 and 1.16.x before 1.16.5 attempts to allocate excessive memory (issue 1 of 2).
    (CVE-2021-33196)

  - Go before 1.15.12 and 1.16.x before 1.16.5 acts as an Unintended Proxy or Intermediary. (CVE-2021-33197)

  - Go before 1.15.12 and 1.16.x before 1.16.5 attempts to allocate excessive memory (issue 2 of 2).
    (CVE-2021-33198)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote SUSE Linux SLED15 / SLES15 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2021:2186-1 advisory.

  - Go before 1.15.12 and 1.16.x before 1.16.5 allows injection. (CVE-2021-33195)

  - Go before 1.15.12 and 1.16.x before 1.16.5 attempts to allocate excessive memory (issue 1 of 2).
    (CVE-2021-33196)

  - Go before 1.15.12 and 1.16.x before 1.16.5 acts as an Unintended Proxy or Intermediary. (CVE-2021-33197)

  - Go before 1.15.12 and 1.16.x before 1.16.5 attempts to allocate excessive memory (issue 2 of 2).
    (CVE-2021-33198)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The Go project reports :

The SetString and UnmarshalText methods of math/big.Rat may cause a panic or an unrecoverable fatal error if passed inputs with very large exponents.

ReverseProxy in net/http/httputil could be made to forward certain hop-by-hop headers, including Connection. In case the target of the ReverseProxy was itself a reverse proxy, this would let an attacker drop arbitrary headers, including those set by the ReverseProxy.Director.

The LookupCNAME, LookupSRV, LookupMX, LookupNS, and LookupAddr functions in net, and their respective methods on the Resolver type may return arbitrary values retrieved from DNS which do not follow the established RFC 1035 rules for domain names. If these names are used without further sanitization, for instance unsafely included in HTML, they may allow for injection of unexpected content. Note that LookupTXT may still return arbitrary values that could require sanitization before further use.

The NewReader and OpenReader functions in archive/zip can cause a panic or an unrecoverable fatal error when reading an archive that claims to contain a large number of files, regardless of its actual size.

ID	Name	Product	Family	Severity
168110	Oracle Linux 9 : buildah (ELSA-2022-8008)	Nessus	Oracle Linux Local Security Checks	high
168070	Oracle Linux 9 : podman (ELSA-2022-7954)	Nessus	Oracle Linux Local Security Checks	medium
167982	AlmaLinux 9 : podman (ALSA-2022:7954)	Nessus	Alma Linux Local Security Checks	medium
167960	AlmaLinux 9 : buildah (ALSA-2022:8008)	Nessus	Alma Linux Local Security Checks	high
167618	RHEL 9 : buildah (RHSA-2022:8008)	Nessus	Red Hat Local Security Checks	high
167600	RHEL 9 : podman (RHSA-2022:7954)	Nessus	Red Hat Local Security Checks	medium
165146	RHEL 8 : Red Hat OpenStack Platform 16.2 (etcd) (RHSA-2021:3487)	Nessus	Red Hat Local Security Checks	high
163918	Amazon Linux 2 : golang (ALAS-2022-1830)	Nessus	Amazon Linux Local Security Checks	critical
163840	GLSA-202208-02 : Go: Multiple Vulnerabilities	Nessus	Gentoo Local Security Checks	critical
158854	AlmaLinux 8 : go-toolset:rhel8 (ALSA-2021:4156)	Nessus	Alma Linux Local Security Checks	high
157604	AlmaLinux 8 : grafana (ALSA-2021:4226)	Nessus	Alma Linux Local Security Checks	high
156004	RHEL 8 : Red Hat OpenStack Platform 16.1 (etcd) (RHSA-2021:5072)	Nessus	Red Hat Local Security Checks	high
155406	Oracle Linux 8 : grafana (ELSA-2021-4226)	Nessus	Oracle Linux Local Security Checks	high
155338	CentOS 8 : grafana (CESA-2021:4226)	Nessus	CentOS Local Security Checks	high
155254	EulerOS 2.0 SP9 : golang (EulerOS-SA-2021-2710)	Nessus	Huawei Local Security Checks	high
155239	EulerOS 2.0 SP9 : golang (EulerOS-SA-2021-2685)	Nessus	Huawei Local Security Checks	high
155224	RHEL 8 : grafana (RHSA-2021:4226)	Nessus	Red Hat Local Security Checks	high
155140	EulerOS 2.0 SP5 : golang (EulerOS-SA-2021-2661)	Nessus	Huawei Local Security Checks	high
155090	RHEL 8 : go-toolset:rhel8 (RHSA-2021:4156)	Nessus	Red Hat Local Security Checks	high
155083	CentOS 8 : go-toolset:rhel8 (CESA-2021:4156)	Nessus	CentOS Local Security Checks	high
154293	RHEL 8 : OpenShift Container Platform 4.8.15 packages and (RHSA-2021:3820)	Nessus	Red Hat Local Security Checks	high
153167	Amazon Linux AMI : golang (ALAS-2021-1527)	Nessus	Amazon Linux Local Security Checks	medium
153098	RHEL 7 : go-toolset-1.15-golang (RHSA-2021:3431)	Nessus	Red Hat Local Security Checks	high
153045	Photon OS 3.0: Go PHSA-2021-3.0-0294	Nessus	PhotonOS Local Security Checks	high
152975	RHEL 7 / 8 : OpenShift Container Platform 4.8.9 packages and (RHSA-2021:3248)	Nessus	Red Hat Local Security Checks	high
152585	RHEL 8 : OpenShift Container Platform 4.6.42 (RHSA-2021:3009)	Nessus	Red Hat Local Security Checks	high
152440	RHEL 7 / 8 : OpenShift Container Platform 4.8.4 bug fix and (RHSA-2021:2984)	Nessus	Red Hat Local Security Checks	high
151282	openSUSE 15 Security Update : go1.15 (openSUSE-SU-2021:0950-1)	Nessus	SuSE Local Security Checks	high
151204	SUSE SLED15 / SLES15 Security Update : go1.15 (SUSE-SU-2021:2214-1)	Nessus	SuSE Local Security Checks	high
151123	SUSE SLED15 / SLES15 Security Update : go1.16 (SUSE-SU-2021:2186-1)	Nessus	SuSE Local Security Checks	high
150273	FreeBSD : go -- multiple vulnerabilities (079b3641-c4bd-11eb-a22a-693f0544ae52)	Nessus	FreeBSD Local Security Checks	high

CVE-2021-33197

medium

Tenable Plugins

high

medium

medium

high

high

medium

high

critical

critical

high

high

high

high

high

high

high

high

high

high

high

high

medium

high

high

high

high

high

high

high

high

high