Описание
Code injection in the go command with cgo before Go 1.14.12 and Go 1.15.5 allows arbitrary code execution at build time via malicious gcc flags specified via a #cgo directive.
An input validation vulnerability was found in Go. If cgo is specified in a Go file, it is possible to bypass the validation of arguments to the gcc compiler. This flaw allows an attacker to create a malicious repository that can execute arbitrary code when downloaded and run via go get or go build while building a Go project. The highest threat from this vulnerability is to confidentiality and integrity as well as system availability.
Отчет
While the OpenShift Container Platform (OCP), Red Hat OpenShift Jaeger (RHOSJ), OpenShift Service Mesh (OSSM), and OpenShift Virtualization all contain RPMs and containers that are compiled with a vulnerable version of Go, the vulnerability is specific to the building of the Go code itself. Using go get or go build and as such, the relevant components have been marked as not affected.
Additionally, only the main RPMs and containers for OCP, RHOSJ, OSSM, and OpenShift Virtualization are represented due to the large volume of not affected components.
Red Hat Ceph Storage 3 ships the vulnerable version of go, and an attacker building go code on RHCS 3 could potentially exploit this vulnerability.
Меры по смягчению последствий
If it's possible to confirm that the go project being built does not rely on any cgo code in the included dependencies, the env variable CGO_ENABLED=0 can be specified when using either go get or go build.
For example:
CGO_ENABLED=0 go get github.com/someproject
This will not stop the files being downloaded but will stop any automatic complication of the cgo code, including inlined in the go file and separate .c files. Of course, this will only be effective if cgo is not relied upon in a given dependency and may not be appropriate in all scenarios.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Distributed Tracing Jaeger 1 | distributed-tracing/jaeger-all-in-one-rhel7 | Not affected | ||
| Distributed Tracing Jaeger 1 | distributed-tracing/jaeger-all-in-one-rhel8 | Not affected | ||
| Distributed Tracing Jaeger 1 | jaeger-rhel7-operator | Not affected | ||
| Distributed Tracing Jaeger 1 | jaeger-rhel8-operator | Not affected | ||
| OpenShift Serverless | knative-serving | Affected | ||
| OpenShift Service Mesh 1 | kiali | Not affected | ||
| OpenShift Service Mesh 1 | servicemesh | Not affected | ||
| OpenShift Service Mesh 1 | servicemesh-operator | Not affected | ||
| OpenShift Service Mesh 2.0 | kiali | Not affected | ||
| OpenShift Service Mesh 2.0 | servicemesh | Not affected |
Показывать по
Дополнительная информация
Статус:
EPSS
7.5 High
CVSS3
Связанные уязвимости
Code injection in the go command with cgo before Go 1.14.12 and Go 1.15.5 allows arbitrary code execution at build time via malicious gcc flags specified via a #cgo directive.
Code injection in the go command with cgo before Go 1.14.12 and Go 1.15.5 allows arbitrary code execution at build time via malicious gcc flags specified via a #cgo directive.
Code injection in the go command with cgo before Go 1.14.12 and Go 1.1 ...
Go before 1.14.12 and 1.15.x before 1.15.5 allows Argument Injection.
EPSS
7.5 High
CVSS3