Bug 1918761 (CVE-2021-3115)

Summary: CVE-2021-3115 golang: cmd/go: packages using cgo can cause arbitrary code execution at build time
Product: [Other] Security Response Reporter: Michael Kaplan <mkaplan>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: admiller, amctagga, amurdaca, anharris, aos-bugs, asm, bbrownin, bmontgom, bniver, bodavis, deparker, dramseur, emachado, eparis, fdeutsch, flucifre, fweimer, gmeno, hchiramm, hgomes, hvyas, jakub, jburrell, jcajka, jcosta, jhunter, jmulligan, jokerman, jpadman, jshaughn, jwendell, jwon, kconner, kmitts, krathod, law, lemenkov, madam, markito, mbenjamin, mgala, mhackett, mjudeiki, mnewsome, mpolacek, nstielau, ohudlick, puebele, rcernich, renich, rhs-bugs, rrajasek, rtalur, security-response-team, sipoyare, sostapov, sponnaga, storage-qa-internal, swshanka, team-winc, tstellar, twalsh, vbatts, vereddy
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: go 1.15.7, go 1.14.14 Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in golang: cmd/go, in which Go can execute arbitrary commands at build time when cgo is in use on Windows OS. On Linux/Unix, only users who have "." listed explicitly in their PATH variable are affected. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-02-22 19:01:56 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1898822, 1918762, 1918763, 1918766, 1920515, 1920517, 1921144, 1921145, 1921146, 1921147, 1921148, 1930112, 1930113, 1930114    
Bug Blocks: 1918758    

Description Michael Kaplan 2021-01-21 14:21:43 UTC
The go command may execute arbitrary code at build time when users have “.” listed explicitly in their PATH and are running “go get” or build commands outside of a module or with module mode disabled.

Comment 1 Michael Kaplan 2021-01-21 14:22:32 UTC
Created golang tracking bugs for this issue:

Affects: epel-all [bug 1918762]
Affects: fedora-all [bug 1918763]

Comment 4 Sage McTaggart 2021-01-27 15:40:23 UTC
https://go-review.googlesource.com/c/go/+/284783/ Upstream patch

Comment 6 Hardik Vyas 2021-01-29 12:57:32 UTC
External References:

https://groups.google.com/g/golang-announce/c/mperVMGa98w

Comment 8 Przemyslaw Roguski 2021-02-05 17:01:42 UTC
Statement:

While OpenShift Container Platform (OCP), Red Hat OpenShift Jaeger (RHOSJ),  OpenShift Service Mesh (OSSM)  and OpenShift Virtualization all contain RPMs and containers which are compiled with a vulnerable version of Go, the vulnerability is specific to the building of Go code itself.  Hence the relevant components have been marked as not affected.

Additionally, only the main RPMs and containers for OCP, RHOSJ, OSSM and OpenShift Virtualization are represented due to the large volume of not affected components.

Comment 12 Riccardo Schirone 2021-02-18 12:37:00 UTC
Mitigation:

The flaw can be mitigated by making sure "." is not in your PATH environment variable.

Comment 13 Product Security DevOps Team 2021-02-22 19:01:56 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2021-3115

Comment 14 errata-xmlrpc 2021-04-22 18:17:43 UTC
This issue has been addressed in the following products:

  Openshift Serverless 1 on RHEL 8

Via RHSA-2021:1339 https://access.redhat.com/errata/RHSA-2021:1339

Comment 15 errata-xmlrpc 2021-04-22 19:07:41 UTC
This issue has been addressed in the following products:

  Openshift Serveless 1.14

Via RHSA-2021:1338 https://access.redhat.com/errata/RHSA-2021:1338

Comment 16 errata-xmlrpc 2021-05-18 14:43:40 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2021:1746 https://access.redhat.com/errata/RHSA-2021:1746

Comment 17 errata-xmlrpc 2021-05-19 04:02:36 UTC
This issue has been addressed in the following products:

  Openshift Serveless 1.10

Via RHSA-2021:2021 https://access.redhat.com/errata/RHSA-2021:2021

Comment 18 errata-xmlrpc 2021-05-24 13:05:36 UTC
This issue has been addressed in the following products:

  Openshift Serveless 1.14

Via RHSA-2021:2093 https://access.redhat.com/errata/RHSA-2021:2093

Comment 19 errata-xmlrpc 2021-05-24 16:05:28 UTC
This issue has been addressed in the following products:

  Openshift Serverless 1 on RHEL 8

Via RHSA-2021:2095 https://access.redhat.com/errata/RHSA-2021:2095

Comment 20 Red Hat Bugzilla 2023-12-30 04:25:03 UTC
The needinfo request[s] on this closed bug have been removed as they have been unresolved for 120 days