Tech Support
Documentation
Login
Contact Us
Multiple Go Vulnerabilities Fixed in Ubuntu
Rohan Timalsina
January 24, 2024 - TuxCare expert team
Go is an open-source programming language that has gained popularity for efficiency and simplicity. However, as with any software, vulnerabilities can lurk within its libraries and modules. It is essential to stay aware of these vulnerabilities and apply fixes on time for safeguarding apps and maintaining secure code.
Recent Ubuntu security updates addressed several Go vulnerabilities in different releases, highlighting the importance of regular vulnerability checks. Let’s delve into these issues and understand the impacts they could have on your Ubuntu systems.
Ubuntu Fixed Go Vulnerabilities
CVE-2023-39318, CVE-2023-39319 (Cvss 3 Severity Score: 6.1 Medium)
One of the Go vulnerabilities discovered by Takeshi Kaneko pertains to Go’s html/template module. This flaw allows attackers to inject malicious JavaScript code, potentially leading to a cross-site scripting attack. Notably, this issue only affects Go 1.20 in Ubuntu 20.04 LTS, 22.04 LTS, and 23.04.
CVE-2023-39323 (Cvss 3 Severity Score: 8.1 High)
Another significant concern arises from Go’s lack of proper validation of “//go:cgo_” directives during compilation. Exploiting this vulnerability could enable an attacker to inject arbitrary code during compile time, posing a serious security threat.
CVE-2023-39325, CVE-2023-44487 (Cvss 3 Severity Score: 7.5 High)
Go’s net/http module, responsible for handling HTTP requests, faced a vulnerability related to the limitation of simultaneously executing handler goroutines. This flaw could be exploited by attackers to cause panic, resulting in a denial of service.
CVE-2023-39326 (Cvss 3 Severity Score: 5.3 Medium)
The net/http module in Go exhibited a vulnerability wherein it failed to properly validate chunk extensions when reading from a request or response body. This flaw opens up the possibility for attackers to read sensitive information, compromising the integrity of the system.
CVE-2023-45285 (Cvss 3 Severity Score: 7.5 High)
Go’s handling of the insecure “git://” protocol when using go get to fetch a module with the “.git” suffix has been identified as another potential risk. Attackers could exploit this vulnerability to bypass secure protocol checks, posing a threat to the overall security of the system.
Conclusion
Keeping your Ubuntu system secure is a continuous effort, especially in the ever-evolving landscape of cybersecurity. The recent security updates addressing Go vulnerabilities underscore the importance of staying vigilant and promptly applying updates. By staying informed and proactive, Ubuntu users can mitigate the risks associated with these identified vulnerabilities and ensure the integrity of their systems.
Patching these vulnerabilities requires a reboot after updating the system. Ubuntu systems that cannot afford any downtime can opt for a rebootless patching solution, KernelCare Enterprise. KernelCare automates the deployment of security patches to the system without having to reboot the system. It supports a wide range of Linux enterprise distributions, like Ubuntu, RHEL, CentOS, Oracle Linux, AlmaLinux, RHEL, Rocky Linux, and more.
For more details about KernelCare live patching, refer to this guide.
The sources for this article can be found on USN-6574-1.
