SB2020072735 - Multiple vulnerabilities in Go

Description

This security bulletin contains information about 2 vulnerabilities.

1) Improper Certificate Validation (CVE-ID: CVE-2020-14039)

CWE-ID: CWE-295 - Improper Certificate Validation

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

The vulnerability allows a remote attacker to compromise the target system.

The vulnerability exists when "VerifyOptions.Roots" is nil, "Certificate.Verify" does not check the EKU requirements specified in "VerifyOptions.KeyUsages".

2) Race condition (CVE-ID: CVE-2020-15586)

CWE-ID: CWE-362 - Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to a race condition in some net/http servers, as demonstrated by the httputil.ReverseProxy Handler. A remote attacker can exploit the race and cause a denial of service condition on the target system.

Remediation

Install update from vendor's website.

References

• http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00077.html
• https://groups.google.com/forum/#!forum/golang-announce
• https://groups.google.com/forum/#!topic/golang-announce/XZNfaiwgt2w
• https://groups.google.com/forum/#!topic/golang-announce/f2c5bqrGH_g
• https://www.cloudfoundry.org/blog/cve-2020-15586/