Amazon Linux AMI : golang (ALAS-2018-975)
High Nessus Plugin ID 108600
SynopsisThe remote Amazon Linux AMI host is missing a security update.
DescriptionArbitrary code execution during 'go get' via C compiler options :
An arbitrary command execution flaw was found in the way Go's 'go get' command handled gcc and clang sensitive options during the build. A remote attacker capable of hosting malicious repositories could potentially use this flaw to cause arbitrary command execution on the client side. (CVE-2018-6574)
The 'go get' implementation in Go 1.9.4, when the -insecure command-line option is used, does not validate the import path (get/vcs.go only checks for '://' anywhere in the string), which allows remote attackers to execute arbitrary OS commands via a crafted website. (CVE-2018-7187)
SolutionRun 'yum update golang' to update your system.