Security Bulletin: Multiple vulnerabilities in Golang Go affect IBM Storage Copy Data Management components that leverage Go

Summary

Multiple vulnerabilities in Golang Go affect IBM Storage Copy Data Management components that leverage Go (essentially VADP ‘VM’ backup). Vulnerabilities including execution of arbitrary code on the system, remote attacker can cause an infinite loop, as described by the CVEs in the “Vulnerability Details” section. The vulnerabilities have been addressed. CVE-2024-24787, CVE-2024-24788.

Vulnerability Details

CVEID:CVE-2024-24787
**DESCRIPTION:**Golang Go could allow a remote attacker to execute arbitrary code on the system, caused by a flaw during build on darwin. By building a Go module contains CGO, an attacker could exploit this vulnerability to execute arbitrary code on the system.
CVSS Base score: 9.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/290106 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

CVEID:CVE-2024-24788
**DESCRIPTION:**Golang Go is vulnerable to a denial of service, caused by a high cpu usage in extractExtendedRCode function in the net module. By sending a specially crafted DNS message in response to a query, a remote attacker could exploit this vulnerability to cause an infinite loop.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/290108 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)

Affected Products and Versions

Remediation/Fixes

Affected Versions|**Fixing
**Level|Platform|**Link to Fix and Instructions
**
—|—|—|—
2.2.0.0 - 2.2.23.1| 2.2.24.0| Linux| <https://www.ibm.com/support/pages/node/7150077&gt;

Workarounds and Mitigations

None