Multiple Go Vulnerabilities Fixed in Ubuntu
Go is an open-source programming language that has gained popularity for efficiency and simplicity. However, as with any software, vulnerabilities can lurk within its libraries and modules. It is essential to stay aware of these vulnerabilities and apply fixes on time for safeguarding apps and maintaining secure code.
Recent Ubuntu security updates addressed several Go vulnerabilities in different releases, highlighting the importance of regular vulnerability checks. Let’s delve into these issues and understand the impacts they could have on your Ubuntu systems.
Ubuntu Fixed Go Vulnerabilities
CVE-2023-39318, CVE-2023-39319 (Cvss 3 Severity Score: 6.1 Medium)
CVE-2023-39323 (Cvss 3 Severity Score: 8.1 High)
Another significant concern arises from Go’s lack of proper validation of “//go:cgo_” directives during compilation. Exploiting this vulnerability could enable an attacker to inject arbitrary code during compile time, posing a serious security threat.
CVE-2023-39325, CVE-2023-44487 (Cvss 3 Severity Score: 7.5 High)
Go’s net/http module, responsible for handling HTTP requests, faced a vulnerability related to the limitation of simultaneously executing handler goroutines. This flaw could be exploited by attackers to cause panic, resulting in a denial of service.
CVE-2023-39326 (Cvss 3 Severity Score: 5.3 Medium)
The net/http module in Go exhibited a vulnerability wherein it failed to properly validate chunk extensions when reading from a request or response body. This flaw opens up the possibility for attackers to read sensitive information, compromising the integrity of the system.
CVE-2023-45285 (Cvss 3 Severity Score: 7.5 High)
Go’s handling of the insecure “git://” protocol when using go get to fetch a module with the “.git” suffix has been identified as another potential risk. Attackers could exploit this vulnerability to bypass secure protocol checks, posing a threat to the overall security of the system.
Keeping your Ubuntu system secure is a continuous effort, especially in the ever-evolving landscape of cybersecurity. The recent security updates addressing Go vulnerabilities underscore the importance of staying vigilant and promptly applying updates. By staying informed and proactive, Ubuntu users can mitigate the risks associated with these identified vulnerabilities and ensure the integrity of their systems.
Patching these vulnerabilities requires a reboot after updating the system. Ubuntu systems that cannot afford any downtime can opt for a rebootless patching solution, KernelCare Enterprise. KernelCare automates the deployment of security patches to the system without having to reboot the system. It supports a wide range of Linux enterprise distributions, like Ubuntu, RHEL, CentOS, Oracle Linux, AlmaLinux, RHEL, Rocky Linux, and more.
For more details about KernelCare live patching, refer to this guide.
The sources for this article can be found on USN-6574-1.