Bug 1918761 (CVE-2021-3115) - CVE-2021-3115 golang: cmd/go: packages using cgo can cause arbitrary code execution at build time [NEEDINFO]
Summary: CVE-2021-3115 golang: cmd/go: packages using cgo can cause arbitrary code exe...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2021-3115
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1918766 1921144 1921145 1921147 1898822 1918762 1918763 1920515 1920517 1921146 1921148 1930112 1930113 1930114
Blocks: 1918758
TreeView+ depends on / blocked
 
Reported: 2021-01-21 14:21 UTC by Michael Kaplan
Modified: 2021-06-17 16:20 UTC (History)
62 users (show)

Fixed In Version: go 1.15.7, go 1.14.14
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in golang: cmd/go, in which Go can execute arbitrary commands at build time when cgo is in use on Windows OS. On Linux/Unix, only users who have "." listed explicitly in their PATH variable are affected. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
Clone Of:
Environment:
Last Closed: 2021-02-22 19:01:56 UTC
krathod: needinfo? (hgomes)


Attachments (Terms of Use)

Description Michael Kaplan 2021-01-21 14:21:43 UTC
The go command may execute arbitrary code at build time when users have “.” listed explicitly in their PATH and are running “go get” or build commands outside of a module or with module mode disabled.

Comment 1 Michael Kaplan 2021-01-21 14:22:32 UTC
Created golang tracking bugs for this issue:

Affects: epel-all [bug 1918762]
Affects: fedora-all [bug 1918763]

Comment 4 amctagga 2021-01-27 15:40:23 UTC
https://go-review.googlesource.com/c/go/+/284783/ Upstream patch

Comment 6 Hardik Vyas 2021-01-29 12:57:32 UTC
External References:

https://groups.google.com/g/golang-announce/c/mperVMGa98w

Comment 8 Przemyslaw Roguski 2021-02-05 17:01:42 UTC
Statement:

While OpenShift Container Platform (OCP), Red Hat OpenShift Jaeger (RHOSJ),  OpenShift Service Mesh (OSSM)  and OpenShift Virtualization all contain RPMs and containers which are compiled with a vulnerable version of Go, the vulnerability is specific to the building of Go code itself.  Hence the relevant components have been marked as not affected.

Additionally, only the main RPMs and containers for OCP, RHOSJ, OSSM and OpenShift Virtualization are represented due to the large volume of not affected components.

Comment 12 Riccardo Schirone 2021-02-18 12:37:00 UTC
Mitigation:

The flaw can be mitigated by making sure "." is not in your PATH environment variable.

Comment 13 Product Security DevOps Team 2021-02-22 19:01:56 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2021-3115

Comment 14 errata-xmlrpc 2021-04-22 18:17:43 UTC
This issue has been addressed in the following products:

  Openshift Serverless 1 on RHEL 8

Via RHSA-2021:1339 https://access.redhat.com/errata/RHSA-2021:1339

Comment 15 errata-xmlrpc 2021-04-22 19:07:41 UTC
This issue has been addressed in the following products:

  Openshift Serveless 1.14

Via RHSA-2021:1338 https://access.redhat.com/errata/RHSA-2021:1338

Comment 16 errata-xmlrpc 2021-05-18 14:43:40 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2021:1746 https://access.redhat.com/errata/RHSA-2021:1746

Comment 17 errata-xmlrpc 2021-05-19 04:02:36 UTC
This issue has been addressed in the following products:

  Openshift Serveless 1.10

Via RHSA-2021:2021 https://access.redhat.com/errata/RHSA-2021:2021

Comment 18 errata-xmlrpc 2021-05-24 13:05:36 UTC
This issue has been addressed in the following products:

  Openshift Serveless 1.14

Via RHSA-2021:2093 https://access.redhat.com/errata/RHSA-2021:2093

Comment 19 errata-xmlrpc 2021-05-24 16:05:28 UTC
This issue has been addressed in the following products:

  Openshift Serverless 1 on RHEL 8

Via RHSA-2021:2095 https://access.redhat.com/errata/RHSA-2021:2095


Note You need to log in before you can comment on or make changes to this bug.