Bug 1918761 (CVE-2021-3115)
Summary: | CVE-2021-3115 golang: cmd/go: packages using cgo can cause arbitrary code execution at build time | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Michael Kaplan <mkaplan> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED ERRATA | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | unspecified | CC: | admiller, amctagga, amurdaca, anharris, aos-bugs, asm, bbrownin, bmontgom, bniver, bodavis, deparker, dramseur, emachado, eparis, fdeutsch, flucifre, fweimer, gmeno, hchiramm, hgomes, hvyas, jakub, jburrell, jcajka, jcosta, jhunter, jmulligan, jokerman, jpadman, jshaughn, jwendell, jwon, kconner, kmitts, krathod, law, lemenkov, madam, markito, mbenjamin, mgala, mhackett, mjudeiki, mnewsome, mpolacek, nstielau, ohudlick, puebele, rcernich, renich, rhs-bugs, rrajasek, rtalur, security-response-team, sipoyare, sostapov, sponnaga, storage-qa-internal, swshanka, team-winc, tstellar, twalsh, vbatts, vereddy |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | go 1.15.7, go 1.14.14 | Doc Type: | If docs needed, set a value |
Doc Text: |
A flaw was found in golang: cmd/go, in which Go can execute arbitrary commands at build time when cgo is in use on Windows OS. On Linux/Unix, only users who have "." listed explicitly in their PATH variable are affected. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2021-02-22 19:01:56 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 1898822, 1918762, 1918763, 1918766, 1920515, 1920517, 1921144, 1921145, 1921146, 1921147, 1921148, 1930112, 1930113, 1930114 | ||
Bug Blocks: | 1918758 |
Description
Michael Kaplan
2021-01-21 14:21:43 UTC
Created golang tracking bugs for this issue: Affects: epel-all [bug 1918762] Affects: fedora-all [bug 1918763] https://go-review.googlesource.com/c/go/+/284783/ Upstream patch Upstream issue and commit: https://github.com/golang/go/issues/43783 https://github.com/golang/go/commit/46e2e2e9d99925bbf724b12693c6d3e27a95d6a0 External References: https://groups.google.com/g/golang-announce/c/mperVMGa98w Statement: While OpenShift Container Platform (OCP), Red Hat OpenShift Jaeger (RHOSJ), OpenShift Service Mesh (OSSM) and OpenShift Virtualization all contain RPMs and containers which are compiled with a vulnerable version of Go, the vulnerability is specific to the building of Go code itself. Hence the relevant components have been marked as not affected. Additionally, only the main RPMs and containers for OCP, RHOSJ, OSSM and OpenShift Virtualization are represented due to the large volume of not affected components. Mitigation: The flaw can be mitigated by making sure "." is not in your PATH environment variable. This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2021-3115 This issue has been addressed in the following products: Openshift Serverless 1 on RHEL 8 Via RHSA-2021:1339 https://access.redhat.com/errata/RHSA-2021:1339 This issue has been addressed in the following products: Openshift Serveless 1.14 Via RHSA-2021:1338 https://access.redhat.com/errata/RHSA-2021:1338 This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2021:1746 https://access.redhat.com/errata/RHSA-2021:1746 This issue has been addressed in the following products: Openshift Serveless 1.10 Via RHSA-2021:2021 https://access.redhat.com/errata/RHSA-2021:2021 This issue has been addressed in the following products: Openshift Serveless 1.14 Via RHSA-2021:2093 https://access.redhat.com/errata/RHSA-2021:2093 This issue has been addressed in the following products: Openshift Serverless 1 on RHEL 8 Via RHSA-2021:2095 https://access.redhat.com/errata/RHSA-2021:2095 The needinfo request[s] on this closed bug have been removed as they have been unresolved for 120 days |