Vulnerabilities > CVE-2019-16276 - HTTP Request Smuggling vulnerability in multiple products

Part	Description	Count
Application	Golang Golang GO 1.13 Golang GO - Golang GO 0.0.0-20201203163018-Be400Aefbc4C Golang GO 1.0 Golang GO 1.0.1 Golang GO 1.0.2 Golang GO 1.0.3 Golang GO 1.1 Golang GO 1.1.1 Golang GO 1.1.2 Golang GO 1.2 Golang GO 1.2.1 Golang GO 1.2.2 Golang GO 1.3 Golang GO 1.3.1 Golang GO 1.3.2 Golang GO 1.3.3 Golang GO 1.4 Golang GO 1.4.1 Golang GO 1.4.2 Golang GO 1.4.3 Golang GO 1.5 Golang GO 1.5.1 Golang GO 1.5.2 Golang GO 1.5.3 Golang GO 1.5.4 Golang GO 1.6 Golang GO 1.6.1 Golang GO 1.6.2 Golang GO 1.6.3 Golang GO 1.6.4 Golang GO 1.7 Golang GO 1.7.1 Golang GO 1.7.2 Golang GO 1.7.3 Golang GO 1.7.4 Golang GO 1.7.5 Golang GO 1.7.6 Golang GO 1.8 Golang GO 1.8.1 Golang GO 1.8.2 Golang GO 1.8.3 Golang GO 1.8.4 Golang GO 1.8.5 Golang GO 1.8.6 Golang GO 1.8.7 Golang GO 1.9 Golang GO 1.9.1 Golang GO 1.9.2 Golang GO 1.9.3 Golang GO 1.9.4 Golang GO 1.9.5 Golang GO 1.9.6 Golang GO 1.9.7 Golang GO 1.10 Golang GO 1.10.1 Golang GO 1.10.2 Golang GO 1.10.3 Golang GO 1.10.4 Golang GO 1.10.5 Golang GO 1.10.6 Golang GO 1.10.7 Golang GO 1.10.8 Golang GO 1.11.0 Golang GO 1.11.1 Golang GO 1.11.2 Golang GO 1.11.3 Golang GO 1.11.4 Golang GO 1.11.5 Golang GO 1.11.6 Golang GO 1.11.7 Golang GO 1.11.8 Golang GO 1.11.9 Golang GO 1.11.10 Golang GO 1.11.11 Golang GO 1.11.12 Golang GO 1.11.13 Golang GO 1.12 Golang GO 1.12.0 Golang GO 1.12.1 Golang GO 1.12.2 Golang GO 1.12.3 Golang GO 1.12.4 Golang GO 1.12.5 Golang GO 1.12.6 Golang GO 1.12.7 Golang GO 1.12.8 Golang GO 1.12.9	149
Application	Redhat Redhat Openshift Container Platform 4.2 Redhat Developer Tools 1.0	2
Application	Netapp Netapp Cloud Insights Telegraf Agent -	1
OS	Debian Debian Debian Linux 9.0	1
OS	Opensuse Opensuse Leap 15.0 Opensuse Leap 15.1	2
OS	Fedoraproject Fedoraproject Fedora 29 Fedoraproject Fedora 30 Fedoraproject Fedora 31	3
OS	Redhat Redhat Enterprise Linux 7.0 Redhat Enterprise Linux 8.0 Redhat Enterprise Linux EUS 8.1	3

Common Weakness Enumeration (CWE)

CWE-444 - Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')

Common Attack Pattern Enumeration and Classification (CAPEC)

HTTP Request Splitting
HTTP Request Splitting (also known as HTTP Request Smuggling) is an attack pattern where an attacker attempts to insert additional HTTP requests in the body of the original (enveloping) HTTP request in such a way that the browser interprets it as one request but the web server interprets it as two. There are several ways to perform HTTP request splitting attacks. One way is to include double Content-Length headers in the request to exploit the fact that the devices parsing the request may each use a different header. Another way is to submit an HTTP request with a "Transfer Encoding: chunked" in the request header set with setRequestHeader to allow a payload in the HTTP Request that can be considered as another HTTP Request by a subsequent parsing entity. A third way is to use the "Double CR in an HTTP header" technique. There are also a few less general techniques targeting specific parsing vulnerabilities in certain web servers.
HTTP Request Smuggling
HTTP Request Smuggling results from the discrepancies in parsing HTTP requests between HTTP entities such as web caching proxies or application firewalls. Entities such as web servers, web caching proxies, application firewalls or simple proxies often parse HTTP requests in slightly different ways. Under specific situations where there are two or more such entities in the path of the HTTP request, a specially crafted request is seen by two attacked entities as two different sets of requests. This allows certain requests to be smuggled through to a second entity without the first one realizing it.

Nessus

NASL family	Amazon Linux Local Security Checks
NASL id	AL2_ALAS-2019-1335.NASL
description	It was discovered that net/http (through net/textproto) in golang does not correctly interpret HTTP requests where an HTTP header contains spaces before the colon. This could be abused by an attacker to smuggle HTTP requests when a proxy or a firewall is placed behind a server implemented in Go or to filter bypasses depending on the specific network configuration.(CVE-2019-16276)
last seen	2020-06-01
modified	2020-06-02
plugin id	130231
published	2019-10-25
reporter	This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/130231
title	Amazon Linux 2 : golang (ALAS-2019-1335)
code	# # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Amazon Linux 2 Security Advisory ALAS-2019-1335. # include("compat.inc"); if (description) { script_id(130231); script_version("1.4"); script_cvs_date("Date: 2020/01/09"); script_cve_id("CVE-2019-16276"); script_xref(name:"ALAS", value:"2019-1335"); script_xref(name:"IAVB", value:"2019-B-0085"); script_name(english:"Amazon Linux 2 : golang (ALAS-2019-1335)"); script_summary(english:"Checks rpm output for the updated packages"); script_set_attribute( attribute:"synopsis", value:"The remote Amazon Linux 2 host is missing a security update." ); script_set_attribute( attribute:"description", value: "It was discovered that net/http (through net/textproto) in golang does not correctly interpret HTTP requests where an HTTP header contains spaces before the colon. This could be abused by an attacker to smuggle HTTP requests when a proxy or a firewall is placed behind a server implemented in Go or to filter bypasses depending on the specific network configuration.(CVE-2019-16276)" ); script_set_attribute( attribute:"see_also", value:"https://alas.aws.amazon.com/AL2/ALAS-2019-1335.html" ); script_set_attribute( attribute:"solution", value:"Run 'yum update golang' to update your system." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"); script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:golang"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:golang-bin"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:golang-docs"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:golang-misc"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:golang-src"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:golang-tests"); script_set_attribute(attribute:"cpe", value:"cpe:/o:amazon:linux:2"); script_set_attribute(attribute:"vuln_publication_date", value:"2019/09/30"); script_set_attribute(attribute:"patch_publication_date", value:"2019/10/24"); script_set_attribute(attribute:"plugin_publication_date", value:"2019/10/25"); script_set_attribute(attribute:"stig_severity", value:"II"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Amazon Linux Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/AmazonLinux/release", "Host/AmazonLinux/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/AmazonLinux/release"); if (isnull(release) \|\| !strlen(release)) audit(AUDIT_OS_NOT, "Amazon Linux"); os_ver = pregmatch(pattern: "^AL(A\|\d)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Amazon Linux"); os_ver = os_ver[1]; if (os_ver != "2") { if (os_ver == 'A') os_ver = 'AMI'; audit(AUDIT_OS_NOT, "Amazon Linux 2", "Amazon Linux " + os_ver); } if (!get_kb_item("Host/AmazonLinux/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (rpm_check(release:"AL2", cpu:"x86_64", reference:"golang-1.9.4-3.amzn2.0.3")) flag++; if (rpm_check(release:"AL2", cpu:"x86_64", reference:"golang-bin-1.9.4-3.amzn2.0.3")) flag++; if (rpm_check(release:"AL2", reference:"golang-docs-1.9.4-3.amzn2.0.3")) flag++; if (rpm_check(release:"AL2", reference:"golang-misc-1.9.4-3.amzn2.0.3")) flag++; if (rpm_check(release:"AL2", reference:"golang-src-1.9.4-3.amzn2.0.3")) flag++; if (rpm_check(release:"AL2", reference:"golang-tests-1.9.4-3.amzn2.0.3")) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get()); else security_warning(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "golang / golang-bin / golang-docs / golang-misc / golang-src / etc"); }

NASL family	Debian Local Security Checks
NASL id	DEBIAN_DSA-4534.NASL
description	It was discovered that the Go programming language did accept and normalize invalid HTTP/1.1 headers with a space before the colon, which could lead to filter bypasses or request smuggling in some setups.
last seen	2020-06-01
modified	2020-06-02
plugin id	129412
published	2019-09-30
reporter	This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/129412
title	Debian DSA-4534-1 : golang-1.11 - security update
code	# # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Debian Security Advisory DSA-4534. The text # itself is copyright (C) Software in the Public Interest, Inc. # include("compat.inc"); if (description) { script_id(129412); script_version("1.5"); script_cvs_date("Date: 2020/01/09"); script_cve_id("CVE-2019-16276"); script_xref(name:"DSA", value:"4534"); script_xref(name:"IAVB", value:"2019-B-0085"); script_name(english:"Debian DSA-4534-1 : golang-1.11 - security update"); script_summary(english:"Checks dpkg output for the updated package"); script_set_attribute( attribute:"synopsis", value:"The remote Debian host is missing a security-related update." ); script_set_attribute( attribute:"description", value: "It was discovered that the Go programming language did accept and normalize invalid HTTP/1.1 headers with a space before the colon, which could lead to filter bypasses or request smuggling in some setups." ); script_set_attribute( attribute:"see_also", value:"https://security-tracker.debian.org/tracker/source-package/golang-1.11" ); script_set_attribute( attribute:"see_also", value:"https://packages.debian.org/source/buster/golang-1.11" ); script_set_attribute( attribute:"see_also", value:"https://www.debian.org/security/2019/dsa-4534" ); script_set_attribute( attribute:"solution", value: "Upgrade the golang-1.11 packages. For the stable distribution (buster), this problem has been fixed in version 1.11.6-1+deb10u2." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"); script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:golang-1.11"); script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:10.0"); script_set_attribute(attribute:"vuln_publication_date", value:"2019/09/30"); script_set_attribute(attribute:"patch_publication_date", value:"2019/09/27"); script_set_attribute(attribute:"plugin_publication_date", value:"2019/09/30"); script_set_attribute(attribute:"stig_severity", value:"II"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Debian Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l"); exit(0); } include("audit.inc"); include("debian_package.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian"); if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (deb_check(release:"10.0", prefix:"golang-1.11", reference:"1.11.6-1+deb10u2")) flag++; if (deb_check(release:"10.0", prefix:"golang-1.11-doc", reference:"1.11.6-1+deb10u2")) flag++; if (deb_check(release:"10.0", prefix:"golang-1.11-go", reference:"1.11.6-1+deb10u2")) flag++; if (deb_check(release:"10.0", prefix:"golang-1.11-src", reference:"1.11.6-1+deb10u2")) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:deb_report_get()); else security_warning(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");

NASL family	SuSE Local Security Checks
NASL id	OPENSUSE-2019-2521.NASL
description	This update for go1.12 fixes the following issues : Security issues fixed : - CVE-2019-16276: Fixed the handling of invalid HTTP headers, which had allowed request smuggling (bsc#1152082). - CVE-2019-17596: Fixed a panic in dsa.Verify caused by invalid public keys (bsc#1154402). Non-security issue fixed : - Go was updated to version 1.12.12 (bsc#1141689). This update was imported from the SUSE:SLE-15:Update update project.
last seen	2020-06-01
modified	2020-06-02
plugin id	131116
published	2019-11-18
reporter	This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/131116
title	openSUSE Security Update : go1.12 (openSUSE-2019-2521)
code	# # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from openSUSE Security Update openSUSE-2019-2521. # # The text description of this plugin is (C) SUSE LLC. # include("compat.inc"); if (description) { script_id(131116); script_version("1.3"); script_cvs_date("Date: 2020/01/09"); script_cve_id("CVE-2019-16276", "CVE-2019-17596"); script_xref(name:"IAVB", value:"2019-B-0085"); script_name(english:"openSUSE Security Update : go1.12 (openSUSE-2019-2521)"); script_summary(english:"Check for the openSUSE-2019-2521 patch"); script_set_attribute( attribute:"synopsis", value:"The remote openSUSE host is missing a security update." ); script_set_attribute( attribute:"description", value: "This update for go1.12 fixes the following issues : Security issues fixed : - CVE-2019-16276: Fixed the handling of invalid HTTP headers, which had allowed request smuggling (bsc#1152082). - CVE-2019-17596: Fixed a panic in dsa.Verify caused by invalid public keys (bsc#1154402). Non-security issue fixed : - Go was updated to version 1.12.12 (bsc#1141689). This update was imported from the SUSE:SLE-15:Update update project." ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1141689" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1152082" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1154402" ); script_set_attribute( attribute:"solution", value:"Update the affected go1.12 packages." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"); script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:go1.12"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:go1.12-race"); script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:opensuse:15.0"); script_set_attribute(attribute:"vuln_publication_date", value:"2019/09/30"); script_set_attribute(attribute:"patch_publication_date", value:"2019/11/17"); script_set_attribute(attribute:"plugin_publication_date", value:"2019/11/18"); script_set_attribute(attribute:"stig_severity", value:"II"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"SuSE Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/SuSE/release", "Host/SuSE/rpm-list", "Host/cpu"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/SuSE/release"); if (isnull(release) \|\| release =~ "^(SLED\|SLES)") audit(AUDIT_OS_NOT, "openSUSE"); if (release !~ "^(SUSE15\.0)$") audit(AUDIT_OS_RELEASE_NOT, "openSUSE", "15.0", release); if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); ourarch = get_kb_item("Host/cpu"); if (!ourarch) audit(AUDIT_UNKNOWN_ARCH); if (ourarch !~ "^(x86_64)$") audit(AUDIT_ARCH_NOT, "x86_64", ourarch); flag = 0; if ( rpm_check(release:"SUSE15.0", reference:"go1.12-1.12.12-lp150.11.1") ) flag++; if ( rpm_check(release:"SUSE15.0", reference:"go1.12-race-1.12.12-lp150.11.1") ) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get()); else security_warning(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "go1.12 / go1.12-race"); }

NASL family	Red Hat Local Security Checks
NASL id	REDHAT-RHSA-2020-0329.NASL
description	An update for the go-toolset:rhel8 module is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Go Toolset provides the Go programming language tools and libraries. Go is alternatively known as golang. Security Fix(es) : * golang: HTTP/1.1 headers with a space before the colon leads to filter bypass or request smuggling (CVE-2019-16276) * golang: invalid public key causes panic in dsa.Verify (CVE-2019-17596) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
last seen	2020-05-21
modified	2020-02-05
plugin id	133478
published	2020-02-05
reporter	This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/133478
title	RHEL 8 : go-toolset:rhel8 (RHSA-2020:0329)
code	# # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Red Hat Security Advisory RHSA-2020:0329. The text # itself is copyright (C) Red Hat, Inc. # include("compat.inc"); if (description) { script_id(133478); script_version("1.3"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/05/20"); script_cve_id("CVE-2019-16276", "CVE-2019-17596"); script_xref(name:"RHSA", value:"2020:0329"); script_name(english:"RHEL 8 : go-toolset:rhel8 (RHSA-2020:0329)"); script_summary(english:"Checks the rpm output for the updated packages"); script_set_attribute( attribute:"synopsis", value:"The remote Red Hat host is missing one or more security updates." ); script_set_attribute( attribute:"description", value: "An update for the go-toolset:rhel8 module is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Go Toolset provides the Go programming language tools and libraries. Go is alternatively known as golang. Security Fix(es) : * golang: HTTP/1.1 headers with a space before the colon leads to filter bypass or request smuggling (CVE-2019-16276) * golang: invalid public key causes panic in dsa.Verify (CVE-2019-17596) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section." ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/errata/RHSA-2020:0329" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2019-16276" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2019-17596" ); script_set_attribute(attribute:"solution", value:"Update the affected packages."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"); script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C"); script_set_attribute(attribute:"cvss_score_source", value:"CVE-2019-11043"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:go-toolset"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:golang"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:golang-bin"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:golang-docs"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:golang-misc"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:golang-race"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:golang-src"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:golang-tests"); script_set_attribute(attribute:"cpe", value:"cpe:/a:redhat:enterprise_linux:8"); script_set_attribute(attribute:"cpe", value:"cpe:/a:redhat:enterprise_linux:8::appstream"); script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:8"); script_set_attribute(attribute:"vuln_publication_date", value:"2019/09/30"); script_set_attribute(attribute:"patch_publication_date", value:"2020/02/04"); script_set_attribute(attribute:"plugin_publication_date", value:"2020/02/05"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Red Hat Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list", "Host/cpu"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("misc_func.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/RedHat/release"); if (isnull(release) \|\| "Red Hat" >!< release) audit(AUDIT_OS_NOT, "Red Hat"); os_ver = pregmatch(pattern: "Red Hat Enterprise Linux.*release ([0-9]+(\.[0-9]+)?)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Red Hat"); os_ver = os_ver[1]; if (! preg(pattern:"^8([^0-9]\|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Red Hat 8.x", "Red Hat " + os_ver); if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ('x86_64' >!< cpu && cpu !~ "^i[3-6]86$" && 's390' >!< cpu && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Red Hat', cpu); module_ver = get_kb_item('Host/RedHat/appstream/go-toolset'); if (isnull(module_ver)) audit(AUDIT_PACKAGE_NOT_INSTALLED, 'Module go-toolset:rhel8'); if ('rhel8' >!< module_ver) audit(AUDIT_PACKAGE_NOT_AFFECTED, 'Module go-toolset:' + module_ver); appstreams = { 'go-toolset:rhel8': [ {'reference':'go-toolset-1.12.12-2.module+el8.1.0+5317+8a49ffbb', 'cpu':'aarch64', 'release':'8'}, {'reference':'go-toolset-1.12.12-2.module+el8.1.0+5317+8a49ffbb', 'cpu':'s390x', 'release':'8'}, {'reference':'go-toolset-1.12.12-2.module+el8.1.0+5317+8a49ffbb', 'cpu':'x86_64', 'release':'8'}, {'reference':'golang-1.12.12-4.module+el8.1.0+5317+8a49ffbb', 'cpu':'aarch64', 'release':'8'}, {'reference':'golang-1.12.12-4.module+el8.1.0+5317+8a49ffbb', 'cpu':'s390x', 'release':'8'}, {'reference':'golang-1.12.12-4.module+el8.1.0+5317+8a49ffbb', 'cpu':'x86_64', 'release':'8'}, {'reference':'golang-bin-1.12.12-4.module+el8.1.0+5317+8a49ffbb', 'cpu':'aarch64', 'release':'8'}, {'reference':'golang-bin-1.12.12-4.module+el8.1.0+5317+8a49ffbb', 'cpu':'s390x', 'release':'8'}, {'reference':'golang-bin-1.12.12-4.module+el8.1.0+5317+8a49ffbb', 'cpu':'x86_64', 'release':'8'}, {'reference':'golang-docs-1.12.12-4.module+el8.1.0+5317+8a49ffbb', 'release':'8'}, {'reference':'golang-misc-1.12.12-4.module+el8.1.0+5317+8a49ffbb', 'release':'8'}, {'reference':'golang-race-1.12.12-4.module+el8.1.0+5317+8a49ffbb', 'cpu':'x86_64', 'release':'8'}, {'reference':'golang-src-1.12.12-4.module+el8.1.0+5317+8a49ffbb', 'release':'8'}, {'reference':'golang-tests-1.12.12-4.module+el8.1.0+5317+8a49ffbb', 'release':'8'} ], }; flag = 0; appstreams_found = 0; foreach module (keys(appstreams)) { appstream = NULL; appstream_name = NULL; appstream_version = NULL; appstream_split = split(module, sep:':', keep:FALSE); if (!empty_or_null(appstream_split)) { appstream_name = appstream_split[0]; appstream_version = appstream_split[1]; appstream = get_kb_item('Host/RedHat/appstream/' + appstream_name); } if (!empty_or_null(appstream) && appstream_version == appstream \|\| appstream_name == 'all') { appstreams_found++; foreach package_array ( appstreams[module] ) { reference = NULL; release = NULL; sp = NULL; cpu = NULL; el_string = NULL; rpm_spec_vers_cmp = NULL; epoch = NULL; if (!empty_or_null(package_array['reference'])) reference = package_array['reference']; if (!empty_or_null(package_array['release'])) release = 'RHEL' + package_array['release']; if (!empty_or_null(package_array['sp'])) sp = package_array['sp']; if (!empty_or_null(package_array['cpu'])) cpu = package_array['cpu']; if (!empty_or_null(package_array['el_string'])) el_string = package_array['el_string']; if (!empty_or_null(package_array['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = package_array['rpm_spec_vers_cmp']; if (!empty_or_null(package_array['epoch'])) epoch = package_array['epoch']; if (reference && release) { if (rpm_check(release:release, sp:sp, cpu:cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp)) flag++; } } } } if (!appstreams_found) audit(AUDIT_PACKAGE_NOT_INSTALLED, 'Module go-toolset:rhel8'); if (flag) { security_report_v4( port : 0, severity : SECURITY_WARNING, extra : rpm_report_get() + redhat_report_package_caveat() ); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'go-toolset / golang / golang-bin / etc'); }

NASL family	Amazon Linux Local Security Checks
NASL id	ALA_ALAS-2020-1336.NASL
description	It was discovered that net/http (through net/textproto) in golang does not correctly interpret HTTP requests where an HTTP header contains spaces before the colon. This could be abused by an attacker to smuggle HTTP requests when a proxy or a firewall is placed behind a server implemented in Go or to filter bypasses depending on the specific network configuration.(CVE-2019-16276) Go before 1.12.10 and 1.13.x before 1.13.1 allow HTTP Request Smuggling.(CVE-2019-16276)
last seen	2020-06-01
modified	2020-06-02
plugin id	133006
published	2020-01-17
reporter	This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/133006
title	Amazon Linux AMI : golang (ALAS-2020-1336)

NASL family	Amazon Linux Local Security Checks
NASL id	AL2_ALAS-2020-1383.NASL
description	It was discovered that net/http (through net/textproto) in golang does not correctly interpret HTTP requests where an HTTP header contains spaces before the colon. This could be abused by an attacker to smuggle HTTP requests when a proxy or a firewall is placed behind a server implemented in Go or to filter bypasses depending on the specific network configuration. (CVE-2019-16276)
last seen	2020-06-01
modified	2020-06-02
plugin id	133093
published	2020-01-21
reporter	This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/133093
title	Amazon Linux 2 : golang (ALAS-2020-1383)

NASL family	PhotonOS Local Security Checks
NASL id	PHOTONOS_PHSA-2020-1_0-0264_GO.NASL
description	An update of the go package has been released.
last seen	2020-06-01
modified	2020-06-02
plugin id	132981
published	2020-01-16
reporter	This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/132981
title	Photon OS 1.0: Go PHSA-2020-1.0-0264

NASL family	SuSE Local Security Checks
NASL id	OPENSUSE-2019-2522.NASL
description	This update for go1.12 fixes the following issues : Security issues fixed : - CVE-2019-16276: Fixed the handling of invalid HTTP headers, which had allowed request smuggling (bsc#1152082). - CVE-2019-17596: Fixed a panic in dsa.Verify caused by invalid public keys (bsc#1154402). Non-security issue fixed : - Go was updated to version 1.12.12 (bsc#1141689). This update was imported from the SUSE:SLE-15:Update update project.
last seen	2020-06-01
modified	2020-06-02
plugin id	131117
published	2019-11-18
reporter	This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/131117
title	openSUSE Security Update : go1.12 (openSUSE-2019-2522)

NASL family	FreeBSD Local Security Checks
NASL id	FREEBSD_PKG_A92DCC5CE05C11E9B58910C37B4AC2EA.NASL
description	The Go project reports : net/http (through net/textproto) used to accept and normalize invalid HTTP/1.1 headers with a space before the colon, in violation of RFC 7230. If a Go server is used behind a reverse proxy that accepts and forwards but doesn
last seen	2020-06-01
modified	2020-06-02
plugin id	129426
published	2019-09-30
reporter	This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/129426
title	FreeBSD : go -- invalid headers are normalized, allowing request smuggling (a92dcc5c-e05c-11e9-b589-10c37b4ac2ea)

NASL family	Fedora Local Security Checks
NASL id	FEDORA_2019-416D20F960.NASL
description	- Rebase to 1.12.10 - Security fix for CVE-2019-16276 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
last seen	2020-06-01
modified	2020-06-02
plugin id	129767
published	2019-10-10
reporter	This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/129767
title	Fedora 30 : golang (2019-416d20f960)

NASL family	Amazon Linux Local Security Checks
NASL id	ALA_ALAS-2019-1321.NASL
description	It was discovered that net/http (through net/textproto) in golang does not correctly interpret HTTP requests where an HTTP header contains spaces before the colon. This could be abused by an attacker to smuggle HTTP requests when a proxy or a firewall is placed behind a server implemented in Go or to filter bypasses depending on the specific network configuration. (CVE-2019-16276)
last seen	2020-06-01
modified	2020-06-02
plugin id	131241
published	2019-11-25
reporter	This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/131241
title	Amazon Linux AMI : golang (ALAS-2019-1321)

NASL family	Red Hat Local Security Checks
NASL id	REDHAT-RHSA-2020-0101.NASL
description	An update for go-toolset-1.12 and go-toolset-1.12-golang is now available for Red Hat Developer Tools. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Go Toolset provides the Go programming language tools and libraries. Go is alternatively known as golang. The following packages have been upgraded to a later upstream version: go-toolset-1.12-golang (1.12.12). (BZ#1759840, BZ#1785389) Security Fix(es) : * golang: HTTP/1.1 headers with a space before the colon leads to filter bypass or request smuggling (CVE-2019-16276) * golang: invalid public key causes panic in dsa.Verify (CVE-2019-17596) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
last seen	2020-06-01
modified	2020-06-02
plugin id	132948
published	2020-01-16
reporter	This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/132948
title	RHEL 7 : go-toolset-1.12-golang (RHSA-2020:0101)

NASL family	Fedora Local Security Checks
NASL id	FEDORA_2019-1B8CBD39FF.NASL
description	- Rebase to 1.13.1 - Security fix for CVE-2019-16276 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
last seen	2020-06-01
modified	2020-06-02
plugin id	129698
published	2019-10-08
reporter	This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/129698
title	Fedora 31 : golang (2019-1b8cbd39ff)

NASL family	Huawei Local Security Checks
NASL id	EULEROS_SA-2019-2529.NASL
description	According to the versions of the golang packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - Go before 1.12.10 and 1.13.x before 1.13.1 allow HTTP Request Smuggling.(CVE-2019-16276) - Go before 1.12.11 and 1.3.x before 1.13.2 can panic upon an attempt to process network traffic containing an invalid DSA public key. There are several attack scenarios, such as traffic from a client to a server that verifies client certificates.(CVE-2019-17596) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
last seen	2020-05-08
modified	2019-12-09
plugin id	131803
published	2019-12-09
reporter	This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/131803
title	EulerOS 2.0 SP5 : golang (EulerOS-SA-2019-2529)

NASL family	Fedora Local Security Checks
NASL id	FEDORA_2019-E99C1603C3.NASL
description	- Security fix for CVE-2019-16276 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
last seen	2020-06-01
modified	2020-06-02
plugin id	129858
published	2019-10-15
reporter	This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/129858
title	Fedora 29 : golang (2019-e99c1603c3)

NASL family	SuSE Local Security Checks
NASL id	SUSE_SU-2019-2940-1.NASL
description	This update for go1.12 fixes the following issues : Security issues fixed : CVE-2019-16276: Fixed the handling of invalid HTTP headers, which had allowed request smuggling (bsc#1152082). CVE-2019-17596: Fixed a panic in dsa.Verify caused by invalid public keys (bsc#1154402). Non-security issue fixed: Go was updated to version 1.12.12 (bsc#1141689). Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
last seen	2020-06-01
modified	2020-06-02
plugin id	130900
published	2019-11-12
reporter	This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/130900
title	SUSE SLED15 / SLES15 Security Update : go1.12 (SUSE-SU-2019:2940-1)

Redhat

advisories

rhsa
id RHSA-2020:0101
rhsa
id RHSA-2020:0329
rhsa
id RHSA-2020:0652

rpms

go-toolset-1.12-0:1.12.12-4.el7
go-toolset-1.12-build-0:1.12.12-4.el7
go-toolset-1.12-golang-0:1.12.12-4.el7
go-toolset-1.12-golang-bin-0:1.12.12-4.el7
go-toolset-1.12-golang-docs-0:1.12.12-4.el7
go-toolset-1.12-golang-misc-0:1.12.12-4.el7
go-toolset-1.12-golang-race-0:1.12.12-4.el7
go-toolset-1.12-golang-src-0:1.12.12-4.el7
go-toolset-1.12-golang-tests-0:1.12.12-4.el7
go-toolset-1.12-runtime-0:1.12.12-4.el7
go-toolset-0:1.12.12-2.module+el8.1.0+5317+8a49ffbb
golang-0:1.12.12-4.module+el8.1.0+5317+8a49ffbb
golang-bin-0:1.12.12-4.module+el8.1.0+5317+8a49ffbb
golang-docs-0:1.12.12-4.module+el8.1.0+5317+8a49ffbb
golang-misc-0:1.12.12-4.module+el8.1.0+5317+8a49ffbb
golang-race-0:1.12.12-4.module+el8.1.0+5317+8a49ffbb
golang-src-0:1.12.12-4.module+el8.1.0+5317+8a49ffbb
golang-tests-0:1.12.12-4.module+el8.1.0+5317+8a49ffbb

Summary

Vulnerable Configurations

Common Weakness Enumeration (CWE)

Common Attack Pattern Enumeration and Classification (CAPEC)

Nessus

Redhat

Related news

References