Описание
Code injection in the go command with cgo before Go 1.14.12 and Go 1.15.5 allows arbitrary code execution at build time via a malicious unquoted symbol name in a linked object file.
An input validation vulnerability was found in Go. From a generated go file (from the cgo tool), it is possible to modify symbols within that object file and specify code. This flaw allows an attacker to create a repository that includes malicious pre-built object files that could execute arbitrary code when downloaded and run via go get or go build while building a Go project. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.
Отчет
While OpenShift Container Platform (OCP), Red Hat OpenShift Jaeger (RHOSJ), OpenShift Service Mesh (OSSM), and OpenShift Virtualization all contain RPMs and containers which are compiled with a vulnerable version of Go, the vulnerability is specific to the building of Go code itself. Using go get or go build and as such, the relevant components have been marked as not affected.
Additionally, only the main RPMs and containers for OCP, RHOSJ, OSSM, and OpenShift Virtualization are represented due to the large volume of not affected components.
Red Hat Ceph Storage 3 ships the vulnerable version of go, and an attacker building go code on RHCS 3 could potentially exploit this vulnerability.
Меры по смягчению последствий
If it's possible to confirm that the Go project being built does not rely on any cgo code in the included dependencies, the env variable CGO_ENABLED=0 can be specified when using either go get or go build.
For example:
CGO_ENABLED=0 go get github.com/someproject
This will not stop the files being downloaded but will stop any automatic complication of the cgo code, including inlined in the go file and separate .c files. Of course, this will only be effective if cgo is not relied upon in a given dependency and may not be appropriate in all scenarios.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Distributed Tracing Jaeger 1 | distributed-tracing/jaeger-all-in-one-rhel7 | Not affected | ||
| Distributed Tracing Jaeger 1 | distributed-tracing/jaeger-all-in-one-rhel8 | Not affected | ||
| Distributed Tracing Jaeger 1 | jaeger-rhel7-operator | Not affected | ||
| Distributed Tracing Jaeger 1 | jaeger-rhel8-operator | Not affected | ||
| OpenShift Serverless | knative-eventing | Affected | ||
| OpenShift Service Mesh 1 | kiali | Not affected | ||
| OpenShift Service Mesh 1 | servicemesh | Not affected | ||
| OpenShift Service Mesh 1 | servicemesh-operator | Not affected | ||
| OpenShift Service Mesh 2.0 | kiali | Not affected | ||
| OpenShift Service Mesh 2.0 | servicemesh | Not affected |
Показывать по
Дополнительная информация
Статус:
EPSS
7.5 High
CVSS3
Связанные уязвимости
Code injection in the go command with cgo before Go 1.14.12 and Go 1.15.5 allows arbitrary code execution at build time via a malicious unquoted symbol name in a linked object file.
Code injection in the go command with cgo before Go 1.14.12 and Go 1.15.5 allows arbitrary code execution at build time via a malicious unquoted symbol name in a linked object file.
Code injection in the go command with cgo before Go 1.14.12 and Go 1.1 ...
Go before 1.14.12 and 1.15.x before 1.15.5 allows Code Injection.
EPSS
7.5 High
CVSS3