SB2020072735 - Multiple vulnerabilities in Go
Published: July 27, 2020
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 2 secuirty vulnerabilities.
1) Improper Certificate Validation (CVE-ID: CVE-2020-14039)
The vulnerability allows a remote attacker to compromise the target system.
The vulnerability exists when "VerifyOptions.Roots" is nil, "Certificate.Verify" does not check the EKU requirements specified in "VerifyOptions.KeyUsages".
2) Race condition (CVE-ID: CVE-2020-15586)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to a race condition in some net/http servers, as demonstrated by the httputil.ReverseProxy Handler. A remote attacker can exploit the race and cause a denial of service condition on the target system.
Remediation
Install update from vendor's website.
References
- http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00077.html
- https://groups.google.com/forum/#!forum/golang-announce
- https://groups.google.com/forum/#!topic/golang-announce/XZNfaiwgt2w
- https://groups.google.com/forum/#!topic/golang-announce/f2c5bqrGH_g
- https://www.cloudfoundry.org/blog/cve-2020-15586/