Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
ibmIBM147EB4D07985CB7587528D1FBFB02A47595F2094BB3705844F8CDEA4FBC9E359
HistoryDec 04, 2020 - 4:07 p.m.

Security Bulletin: Upgrade to IBP v2.5.1 to address recent concerns/issues with Golang versions other than 1.14.7

2020-12-0416:07:39
www.ibm.com
14

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

7.8 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:N/I:N/A:C

JSON

Summary

There were several security problems found with various/other releases of Golang. We have moved the Golang provided in IBP components and also the Golang used to compile Go-based components in IBP to version 1.14.7.

Vulnerability Details

CVEID:CVE-2020-15586
**DESCRIPTION:**Golang Go is vulnerable to a denial of service, caused by a data race in some net/http servers. By sending specially-crafted HTTP requests, a remote attacker could exploit this vulnerability to cause a denial of service condition.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/185446 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

CVEID:CVE-2020-14039
**DESCRIPTION:**Go could allow a remote attacker to bypass security restrictions, caused by improper validation on the VerifyOptions.KeyUsages EKU requirements during the X.509 certificate verification. An attacker could exploit this vulnerability to gain access to the system.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/185443 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)

CVEID:CVE-2020-7919
**DESCRIPTION:**Go is vulnerable to a denial of service. By sending a malformed X.509 certificate, a remote attacker could exploit this vulnerability to cause a system panic.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/178227 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

CVEID:CVE-2020-24553
**DESCRIPTION:**Golang Go is vulnerable to cross-site scripting, caused by improper validation of user-supplied input by the CGI/FCGI handlers. A remote attacker could exploit this vulnerability to inject malicious script into a Web page which would be executed in a victim’s Web browser within the security context of the hosting Web site, once the page is viewed. An attacker could use this vulnerability to steal the victim’s cookie-based authentication credentials.
CVSS Base score: 7.2
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/187776 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N)

CVEID:CVE-2020-16845
**DESCRIPTION:**Go Language is vulnerable to a denial of service, caused by an infinite read loop in ReadUvarint and ReadVarint in encoding/binary. By sending a specially-crafted input, a remote attacker could exploit this vulnerability to cause a denial of service condition.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/186375 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

Affected Products and Versions

Affected Product(s) Version(s)
IBM Blockchain Platform (Software/on-prem) All

Remediation/Fixes

Remediation is to move to latest version of IBP (2.5.1).

Workarounds and Mitigations

None

Related

ibm 20
nessus 47
openvas 26
suse 6
debian 3
osv 20
altlinux 5
redhat 12
mageia 3
fedora 5
oraclelinux 1
gitlab 1
alpinelinux 3
veracode 5
prion 5
cve 4
ubuntucve 5
debiancve 5
ubuntu 1
amazon 4
photon 2
redhatcve 3
github 2
wolfi 1
cgr 1
cbl_mariner 4
archlinux 1
freebsd 2
packetstorm 1
cloudfoundry 1
ibm
ibm
Security Bulletin: Security vulnerabilities in Go affect IBM Cloud Pak for Multicloud Management Hybrid GRC.
2021-02-04 21:36:22
Security Bulletin: IBM Cloud Pak for Integration Operators affected by multiple vulnerabilities
2020-10-02 13:03:47
Security Bulletin: Golang Vulnerabilities in IBM Cloud CLI 1.1.0 or earlier
2020-08-20 19:29:57
nessus
nessus
openSUSE Security Update : go1.14 (openSUSE-2020-1405)
2020-09-14 00:00:00
SUSE SLED15 / SLES15 Security Update : go1.14 (SUSE-SU-2020:2562-1)
2020-09-08 00:00:00
openSUSE Security Update : go1.14 (openSUSE-2020-1407)
2020-09-14 00:00:00
openvas
openvas
openSUSE: Security Advisory for go1.14 (openSUSE-SU-2020:1405-1)
2020-09-11 00:00:00
SUSE: Security Advisory (SUSE-SU-2020:2562-1)
2021-06-09 00:00:00
openSUSE: Security Advisory for go1.14 (openSUSE-SU-2020:1407-1)
2020-09-12 00:00:00
suse
suse
Security update for go1.14 (important)
2020-09-11 00:00:00
Security update for go1.14 (important)
2020-09-11 00:00:00
Security update for go1.13 (important)
2020-07-27 00:00:00
debian
debian
[SECURITY] [DSA 4848-1] golang-1.11 security update
2021-02-08 21:24:37
[SECURITY] [DLA 2459-1] golang-1.7 security update
2020-11-21 16:30:21
[SECURITY] [DLA 2460-1] golang-1.8 security update
2020-11-21 17:30:21
osv
osv
golang-1.11 - security update
2021-02-08 00:00:00
golang-1.7 - security update
2020-11-21 00:00:00
golang-1.8 - security update
2020-11-21 00:00:00
altlinux
altlinux
Security fix for the ALT Linux 10 package golang version 1.14.6-alt1
2020-07-23 00:00:00
Security fix for the ALT Linux 9 package golang version 1.14.6-alt1
2020-07-27 00:00:00
Security fix for the ALT Linux 10 package golang version 1.15.2-alt1
2020-09-11 00:00:00
redhat
redhat
(RHSA-2021:0713) Low: OpenShift Container Platform 4.5.34 packages and security update
2021-03-11 04:33:08
(RHSA-2020:5119) Moderate: OpenShift Container Platform 4.5.20 packages and golang security update
2020-11-24 11:38:30
(RHSA-2021:1016) Low: OpenShift Container Platform 4.5.37 security update
2021-04-13 22:52:32
mageia
mageia
Updated golang packages fix security vulnerability
2020-08-18 20:41:27
Updated golang packages fix a security vulnerability
2020-11-15 18:45:05
Updated golang packages fix security vulnerability
2020-04-15 13:12:14
fedora
fedora
[SECURITY] Fedora 32 Update: golang-1.14.7-1.fc32
2020-09-07 17:14:54
[SECURITY] Fedora 31 Update: golang-1.13.9-1.fc31
2020-04-09 18:19:14
[SECURITY] Fedora 33 Update: golang-1.15.1-1.fc33
2020-09-25 17:16:07
oraclelinux
oraclelinux
go-toolset:ol8 security update
2020-09-11 00:00:00
gitlab
gitlab
Improper Certificate Validation
2021-06-23 00:00:00
alpinelinux
alpinelinux
CVE-2020-7919
2020-03-16 21:15:00
CVE-2020-24553
2020-09-02 17:15:00
CVE-2020-15586
2020-07-17 16:15:00
veracode
veracode
Improper Signature Verification
2020-07-17 05:28:54
Denial Of Service (DoS)
2020-07-17 06:00:32
Denial Of Service (DoS)
2020-01-30 02:08:48
prion
prion
Design/Logic Flaw
2020-07-17 16:15:00
Code injection
2020-03-16 21:15:00
Type confusion
2020-09-02 17:15:00
cve
cve
CVE-2020-14039
2020-07-17 16:15:00
CVE-2020-7919
2020-03-16 21:15:00
CVE-2020-24553
2020-09-02 17:15:00
ubuntucve
ubuntucve
CVE-2020-7919
2020-03-16 00:00:00
CVE-2020-24553
2020-09-02 00:00:00
CVE-2020-14039
2020-07-17 00:00:00
debiancve
debiancve
CVE-2020-7919
2020-03-16 21:15:00
CVE-2020-24553
2020-09-02 17:15:00
CVE-2020-14039
2020-07-17 16:15:00
ubuntu
ubuntu
Go vulnerability
2021-03-08 00:00:00
amazon
amazon
Medium: golang
2020-11-14 01:22:00
Medium: golang
2020-11-09 17:10:00
Medium: golang
2020-08-18 20:23:00
photon
photon
Important Photon OS Security Update - PHSA-2020-0087
2020-05-09 00:00:00
Home Download Photon OS User Documentation FAQ Security Advisories Related Information Lightwave - PHSA-2020-2.0-0238
2020-05-02 00:00:00
redhatcve
redhatcve
CVE-2020-7919
2020-04-03 20:00:02
CVE-2020-24553
2020-09-02 13:19:56
CVE-2020-15586
2021-08-15 06:10:24
github
github
Helm uses crypto package vulnerable to panic from malformed X.509 certificate
2021-06-23 18:02:39
Infinite loop in xz
2021-12-16 19:16:40
wolfi
wolfi
CVE-2020-7919 vulnerabilities
2024-05-09 15:29:55
cgr
cgr
CVE-2020-7919 vulnerabilities
2024-05-09 15:29:34
cbl_mariner
cbl_mariner
CVE-2020-14039 affecting package golang 1.13.11-
2021-07-08 21:56:48
CVE-2020-24553 affecting package golang 1.13.15-2
2020-11-30 19:30:55
CVE-2020-15586 affecting package golang 1.13.11-
2021-07-08 21:56:48
archlinux
archlinux
[ASA-202009-3] go: cross-site scripting
2020-09-03 00:00:00
freebsd
freebsd
go -- net/http/cgi, net/http/fcgi: Cross-Site Scripting (XSS) when Content-Type is not specified
2020-08-20 00:00:00
go -- encoding/binary: ReadUvarint and ReadVarint can read an unlimited number of bytes from invalid inputs
2020-08-06 00:00:00
packetstorm
packetstorm
Go CGI / FastCGI Transport Cross Site Scripting
2020-09-02 00:00:00
cloudfoundry
cloudfoundry
CVE-2020-15586: Gorouter is vulnerable to DoS Attack via Expect: 100-continue requests | Cloud Foundry
2020-07-15 00:00:00

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

7.8 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:N/I:N/A:C

JSON
Related for 147EB4D07985CB7587528D1FBFB02A47595F2094BB3705844F8CDEA4FBC9E359
ibm20nessus47openvas26suse6debian3osv20altlinux5redhat12mageia3fedora5oraclelinux1gitlab1alpinelinux3veracode5prion5cve4ubuntucve5debiancve5ubuntu1amazon4photon2redhatcve3github2wolfi1cgr1cbl_mariner4archlinux1freebsd2packetstorm1cloudfoundry1