Bug 1918761 (CVE-2021-3115) - CVE-2021-3115 golang: cmd/go: packages using cgo can cause arbitrary code execution at build time
Summary: CVE-2021-3115 golang: cmd/go: packages using cgo can cause arbitrary code exe...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2021-3115
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1898822 1918762 1918763 1918766 1920515 1920517 1921144 1921145 1921146 1921147 1921148 1930112 1930113 1930114
Blocks: 1918758
TreeView+ depends on / blocked
 
Reported: 2021-01-21 14:21 UTC by Michael Kaplan
Modified: 2023-12-30 04:25 UTC (History)
64 users (show)

Fixed In Version: go 1.15.7, go 1.14.14
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in golang: cmd/go, in which Go can execute arbitrary commands at build time when cgo is in use on Windows OS. On Linux/Unix, only users who have "." listed explicitly in their PATH variable are affected. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
Clone Of:
Environment:
Last Closed: 2021-02-22 19:01:56 UTC
Embargoed:

Attachments (Terms of Use)

Description Michael Kaplan 2021-01-21 14:21:43 UTC 
The go command may execute arbitrary code at build time when users have “.” listed explicitly in their PATH and are running “go get” or build commands outside of a module or with module mode disabled.
Comment 1 Michael Kaplan 2021-01-21 14:22:32 UTC 
Created golang tracking bugs for this issue:

Affects: epel-all [bug 1918762]
Affects: fedora-all [bug 1918763]
Comment 4 Sage McTaggart 2021-01-27 15:40:23 UTC 
https://go-review.googlesource.com/c/go/+/284783/ Upstream patch
Comment 5 Hardik Vyas 2021-01-29 12:52:00 UTC 
Upstream issue and commit:

https://github.com/golang/go/issues/43783
https://github.com/golang/go/commit/46e2e2e9d99925bbf724b12693c6d3e27a95d6a0
Comment 6 Hardik Vyas 2021-01-29 12:57:32 UTC 
External References:

https://groups.google.com/g/golang-announce/c/mperVMGa98w
Comment 8 Przemyslaw Roguski 2021-02-05 17:01:42 UTC 
Statement:

While OpenShift Container Platform (OCP), Red Hat OpenShift Jaeger (RHOSJ),  OpenShift Service Mesh (OSSM)  and OpenShift Virtualization all contain RPMs and containers which are compiled with a vulnerable version of Go, the vulnerability is specific to the building of Go code itself.  Hence the relevant components have been marked as not affected.

Additionally, only the main RPMs and containers for OCP, RHOSJ, OSSM and OpenShift Virtualization are represented due to the large volume of not affected components.
Comment 12 Riccardo Schirone 2021-02-18 12:37:00 UTC 
Mitigation:

The flaw can be mitigated by making sure "." is not in your PATH environment variable.
Comment 13 Product Security DevOps Team 2021-02-22 19:01:56 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2021-3115
Comment 14 errata-xmlrpc 2021-04-22 18:17:43 UTC 
This issue has been addressed in the following products:

  Openshift Serverless 1 on RHEL 8

Via RHSA-2021:1339 https://access.redhat.com/errata/RHSA-2021:1339
Comment 15 errata-xmlrpc 2021-04-22 19:07:41 UTC 
This issue has been addressed in the following products:

  Openshift Serveless 1.14

Via RHSA-2021:1338 https://access.redhat.com/errata/RHSA-2021:1338
Comment 16 errata-xmlrpc 2021-05-18 14:43:40 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2021:1746 https://access.redhat.com/errata/RHSA-2021:1746
Comment 17 errata-xmlrpc 2021-05-19 04:02:36 UTC 
This issue has been addressed in the following products:

  Openshift Serveless 1.10

Via RHSA-2021:2021 https://access.redhat.com/errata/RHSA-2021:2021
Comment 18 errata-xmlrpc 2021-05-24 13:05:36 UTC 
This issue has been addressed in the following products:

  Openshift Serveless 1.14

Via RHSA-2021:2093 https://access.redhat.com/errata/RHSA-2021:2093
Comment 19 errata-xmlrpc 2021-05-24 16:05:28 UTC 
This issue has been addressed in the following products:

  Openshift Serverless 1 on RHEL 8

Via RHSA-2021:2095 https://access.redhat.com/errata/RHSA-2021:2095
Comment 20 Red Hat Bugzilla 2023-12-30 04:25:03 UTC 
The needinfo request[s] on this closed bug have been removed as they have been unresolved for 120 days
Note You need to log in before you can comment on or make changes to this bug.