Vulnerabilities > CVE-2019-16276 - HTTP Request Smuggling vulnerability in multiple products

047910
CVSS 7.5 - HIGH
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
NONE
Integrity impact
HIGH
Availability impact
NONE

Summary

Go before 1.12.10 and 1.13.x before 1.13.1 allow HTTP Request Smuggling.

Vulnerable Configurations

Part Description Count
Application
Golang
149
Application
Redhat
2
Application
Netapp
1
OS
Debian
1
OS
Opensuse
2
OS
Fedoraproject
3
OS
Redhat
3

Common Attack Pattern Enumeration and Classification (CAPEC)

  • HTTP Request Splitting
    HTTP Request Splitting (also known as HTTP Request Smuggling) is an attack pattern where an attacker attempts to insert additional HTTP requests in the body of the original (enveloping) HTTP request in such a way that the browser interprets it as one request but the web server interprets it as two. There are several ways to perform HTTP request splitting attacks. One way is to include double Content-Length headers in the request to exploit the fact that the devices parsing the request may each use a different header. Another way is to submit an HTTP request with a "Transfer Encoding: chunked" in the request header set with setRequestHeader to allow a payload in the HTTP Request that can be considered as another HTTP Request by a subsequent parsing entity. A third way is to use the "Double CR in an HTTP header" technique. There are also a few less general techniques targeting specific parsing vulnerabilities in certain web servers.
  • HTTP Request Smuggling
    HTTP Request Smuggling results from the discrepancies in parsing HTTP requests between HTTP entities such as web caching proxies or application firewalls. Entities such as web servers, web caching proxies, application firewalls or simple proxies often parse HTTP requests in slightly different ways. Under specific situations where there are two or more such entities in the path of the HTTP request, a specially crafted request is seen by two attacked entities as two different sets of requests. This allows certain requests to be smuggled through to a second entity without the first one realizing it.

Nessus

  • NASL familyAmazon Linux Local Security Checks
    NASL idAL2_ALAS-2019-1335.NASL
    descriptionIt was discovered that net/http (through net/textproto) in golang does not correctly interpret HTTP requests where an HTTP header contains spaces before the colon. This could be abused by an attacker to smuggle HTTP requests when a proxy or a firewall is placed behind a server implemented in Go or to filter bypasses depending on the specific network configuration.(CVE-2019-16276)
    last seen2020-06-01
    modified2020-06-02
    plugin id130231
    published2019-10-25
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/130231
    titleAmazon Linux 2 : golang (ALAS-2019-1335)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from Amazon Linux 2 Security Advisory ALAS-2019-1335.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(130231);
      script_version("1.4");
      script_cvs_date("Date: 2020/01/09");
    
      script_cve_id("CVE-2019-16276");
      script_xref(name:"ALAS", value:"2019-1335");
      script_xref(name:"IAVB", value:"2019-B-0085");
    
      script_name(english:"Amazon Linux 2 : golang (ALAS-2019-1335)");
      script_summary(english:"Checks rpm output for the updated packages");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Amazon Linux 2 host is missing a security update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "It was discovered that net/http (through net/textproto) in golang does
    not correctly interpret HTTP requests where an HTTP header contains
    spaces before the colon. This could be abused by an attacker to
    smuggle HTTP requests when a proxy or a firewall is placed behind a
    server implemented in Go or to filter bypasses depending on the
    specific network configuration.(CVE-2019-16276)"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://alas.aws.amazon.com/AL2/ALAS-2019-1335.html"
      );
      script_set_attribute(
        attribute:"solution", 
        value:"Run 'yum update golang' to update your system."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:golang");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:golang-bin");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:golang-docs");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:golang-misc");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:golang-src");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:golang-tests");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:amazon:linux:2");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2019/09/30");
      script_set_attribute(attribute:"patch_publication_date", value:"2019/10/24");
      script_set_attribute(attribute:"plugin_publication_date", value:"2019/10/25");
      script_set_attribute(attribute:"stig_severity", value:"II");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Amazon Linux Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/AmazonLinux/release", "Host/AmazonLinux/rpm-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    
    release = get_kb_item("Host/AmazonLinux/release");
    if (isnull(release) || !strlen(release)) audit(AUDIT_OS_NOT, "Amazon Linux");
    os_ver = pregmatch(pattern: "^AL(A|\d)", string:release);
    if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Amazon Linux");
    os_ver = os_ver[1];
    if (os_ver != "2")
    {
      if (os_ver == 'A') os_ver = 'AMI';
      audit(AUDIT_OS_NOT, "Amazon Linux 2", "Amazon Linux " + os_ver);
    }
    
    if (!get_kb_item("Host/AmazonLinux/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    
    flag = 0;
    if (rpm_check(release:"AL2", cpu:"x86_64", reference:"golang-1.9.4-3.amzn2.0.3")) flag++;
    if (rpm_check(release:"AL2", cpu:"x86_64", reference:"golang-bin-1.9.4-3.amzn2.0.3")) flag++;
    if (rpm_check(release:"AL2", reference:"golang-docs-1.9.4-3.amzn2.0.3")) flag++;
    if (rpm_check(release:"AL2", reference:"golang-misc-1.9.4-3.amzn2.0.3")) flag++;
    if (rpm_check(release:"AL2", reference:"golang-src-1.9.4-3.amzn2.0.3")) flag++;
    if (rpm_check(release:"AL2", reference:"golang-tests-1.9.4-3.amzn2.0.3")) flag++;
    
    if (flag)
    {
      if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());
      else security_warning(0);
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "golang / golang-bin / golang-docs / golang-misc / golang-src / etc");
    }
    
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DSA-4534.NASL
    descriptionIt was discovered that the Go programming language did accept and normalize invalid HTTP/1.1 headers with a space before the colon, which could lead to filter bypasses or request smuggling in some setups.
    last seen2020-06-01
    modified2020-06-02
    plugin id129412
    published2019-09-30
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/129412
    titleDebian DSA-4534-1 : golang-1.11 - security update
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Debian Security Advisory DSA-4534. The text 
    # itself is copyright (C) Software in the Public Interest, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(129412);
      script_version("1.5");
      script_cvs_date("Date: 2020/01/09");
    
      script_cve_id("CVE-2019-16276");
      script_xref(name:"DSA", value:"4534");
      script_xref(name:"IAVB", value:"2019-B-0085");
    
      script_name(english:"Debian DSA-4534-1 : golang-1.11 - security update");
      script_summary(english:"Checks dpkg output for the updated package");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Debian host is missing a security-related update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "It was discovered that the Go programming language did accept and
    normalize invalid HTTP/1.1 headers with a space before the colon,
    which could lead to filter bypasses or request smuggling in some
    setups."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://security-tracker.debian.org/tracker/source-package/golang-1.11"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://packages.debian.org/source/buster/golang-1.11"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.debian.org/security/2019/dsa-4534"
      );
      script_set_attribute(
        attribute:"solution", 
        value:
    "Upgrade the golang-1.11 packages.
    
    For the stable distribution (buster), this problem has been fixed in
    version 1.11.6-1+deb10u2."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:golang-1.11");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:10.0");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2019/09/30");
      script_set_attribute(attribute:"patch_publication_date", value:"2019/09/27");
      script_set_attribute(attribute:"plugin_publication_date", value:"2019/09/30");
      script_set_attribute(attribute:"stig_severity", value:"II");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Debian Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("debian_package.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian");
    if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    
    flag = 0;
    if (deb_check(release:"10.0", prefix:"golang-1.11", reference:"1.11.6-1+deb10u2")) flag++;
    if (deb_check(release:"10.0", prefix:"golang-1.11-doc", reference:"1.11.6-1+deb10u2")) flag++;
    if (deb_check(release:"10.0", prefix:"golang-1.11-go", reference:"1.11.6-1+deb10u2")) flag++;
    if (deb_check(release:"10.0", prefix:"golang-1.11-src", reference:"1.11.6-1+deb10u2")) flag++;
    
    if (flag)
    {
      if (report_verbosity > 0) security_warning(port:0, extra:deb_report_get());
      else security_warning(0);
      exit(0);
    }
    else audit(AUDIT_HOST_NOT, "affected");
    
  • NASL familySuSE Local Security Checks
    NASL idOPENSUSE-2019-2521.NASL
    descriptionThis update for go1.12 fixes the following issues : Security issues fixed : - CVE-2019-16276: Fixed the handling of invalid HTTP headers, which had allowed request smuggling (bsc#1152082). - CVE-2019-17596: Fixed a panic in dsa.Verify caused by invalid public keys (bsc#1154402). Non-security issue fixed : - Go was updated to version 1.12.12 (bsc#1141689). This update was imported from the SUSE:SLE-15:Update update project.
    last seen2020-06-01
    modified2020-06-02
    plugin id131116
    published2019-11-18
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/131116
    titleopenSUSE Security Update : go1.12 (openSUSE-2019-2521)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from openSUSE Security Update openSUSE-2019-2521.
    #
    # The text description of this plugin is (C) SUSE LLC.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(131116);
      script_version("1.3");
      script_cvs_date("Date: 2020/01/09");
    
      script_cve_id("CVE-2019-16276", "CVE-2019-17596");
      script_xref(name:"IAVB", value:"2019-B-0085");
    
      script_name(english:"openSUSE Security Update : go1.12 (openSUSE-2019-2521)");
      script_summary(english:"Check for the openSUSE-2019-2521 patch");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote openSUSE host is missing a security update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "This update for go1.12 fixes the following issues :
    
    Security issues fixed :
    
      - CVE-2019-16276: Fixed the handling of invalid HTTP
        headers, which had allowed request smuggling
        (bsc#1152082).
    
      - CVE-2019-17596: Fixed a panic in dsa.Verify caused by
        invalid public keys (bsc#1154402).
    
    Non-security issue fixed :
    
      - Go was updated to version 1.12.12 (bsc#1141689).
    
    This update was imported from the SUSE:SLE-15:Update update project."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1141689"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1152082"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1154402"
      );
      script_set_attribute(
        attribute:"solution", 
        value:"Update the affected go1.12 packages."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:go1.12");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:go1.12-race");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:opensuse:15.0");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2019/09/30");
      script_set_attribute(attribute:"patch_publication_date", value:"2019/11/17");
      script_set_attribute(attribute:"plugin_publication_date", value:"2019/11/18");
      script_set_attribute(attribute:"stig_severity", value:"II");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"SuSE Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/SuSE/release", "Host/SuSE/rpm-list", "Host/cpu");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/SuSE/release");
    if (isnull(release) || release =~ "^(SLED|SLES)") audit(AUDIT_OS_NOT, "openSUSE");
    if (release !~ "^(SUSE15\.0)$") audit(AUDIT_OS_RELEASE_NOT, "openSUSE", "15.0", release);
    if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    ourarch = get_kb_item("Host/cpu");
    if (!ourarch) audit(AUDIT_UNKNOWN_ARCH);
    if (ourarch !~ "^(x86_64)$") audit(AUDIT_ARCH_NOT, "x86_64", ourarch);
    
    flag = 0;
    
    if ( rpm_check(release:"SUSE15.0", reference:"go1.12-1.12.12-lp150.11.1") ) flag++;
    if ( rpm_check(release:"SUSE15.0", reference:"go1.12-race-1.12.12-lp150.11.1") ) flag++;
    
    if (flag)
    {
      if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());
      else security_warning(0);
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "go1.12 / go1.12-race");
    }
    
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2020-0329.NASL
    descriptionAn update for the go-toolset:rhel8 module is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Go Toolset provides the Go programming language tools and libraries. Go is alternatively known as golang. Security Fix(es) : * golang: HTTP/1.1 headers with a space before the colon leads to filter bypass or request smuggling (CVE-2019-16276) * golang: invalid public key causes panic in dsa.Verify (CVE-2019-17596) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
    last seen2020-05-21
    modified2020-02-05
    plugin id133478
    published2020-02-05
    reporterThis script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/133478
    titleRHEL 8 : go-toolset:rhel8 (RHSA-2020:0329)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from Red Hat Security Advisory RHSA-2020:0329. The text
    # itself is copyright (C) Red Hat, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(133478);
      script_version("1.3");
      script_set_attribute(attribute:"plugin_modification_date", value:"2020/05/20");
    
      script_cve_id("CVE-2019-16276", "CVE-2019-17596");
      script_xref(name:"RHSA", value:"2020:0329");
    
      script_name(english:"RHEL 8 : go-toolset:rhel8 (RHSA-2020:0329)");
      script_summary(english:"Checks the rpm output for the updated packages");
    
      script_set_attribute(
        attribute:"synopsis",
        value:"The remote Red Hat host is missing one or more security updates."
      );
      script_set_attribute(
        attribute:"description",
        value:
    "An update for the go-toolset:rhel8 module is now available for Red Hat
    Enterprise Linux 8.
    
    Red Hat Product Security has rated this update as having a security
    impact of Moderate. A Common Vulnerability Scoring System (CVSS) base
    score, which gives a detailed severity rating, is available for each
    vulnerability from the CVE link(s) in the References section.
    
    Go Toolset provides the Go programming language tools and libraries.
    Go is alternatively known as golang.
    
    Security Fix(es) :
    
    * golang: HTTP/1.1 headers with a space before the colon leads to
    filter bypass or request smuggling (CVE-2019-16276)
    
    * golang: invalid public key causes panic in dsa.Verify
    (CVE-2019-17596)
    
    For more details about the security issue(s), including the impact, a
    CVSS score, acknowledgments, and other related information, refer to
    the CVE page(s) listed in the References section."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/errata/RHSA-2020:0329"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2019-16276"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2019-17596"
      );
      script_set_attribute(attribute:"solution", value:"Update the affected packages.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
      script_set_attribute(attribute:"cvss_score_source", value:"CVE-2019-11043");
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:go-toolset");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:golang");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:golang-bin");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:golang-docs");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:golang-misc");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:golang-race");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:golang-src");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:golang-tests");
      script_set_attribute(attribute:"cpe", value:"cpe:/a:redhat:enterprise_linux:8");
      script_set_attribute(attribute:"cpe", value:"cpe:/a:redhat:enterprise_linux:8::appstream");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:8");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2019/09/30");
      script_set_attribute(attribute:"patch_publication_date", value:"2020/02/04");
      script_set_attribute(attribute:"plugin_publication_date", value:"2020/02/05");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Red Hat Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list", "Host/cpu");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("misc_func.inc");
    include("rpm.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/RedHat/release");
    if (isnull(release) || "Red Hat" >!< release) audit(AUDIT_OS_NOT, "Red Hat");
    os_ver = pregmatch(pattern: "Red Hat Enterprise Linux.*release ([0-9]+(\.[0-9]+)?)", string:release);
    if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Red Hat");
    os_ver = os_ver[1];
    if (! preg(pattern:"^8([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Red Hat 8.x", "Red Hat " + os_ver);
    
    if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ('x86_64' >!< cpu && cpu !~ "^i[3-6]86$" && 's390' >!< cpu && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Red Hat', cpu);
    
    module_ver = get_kb_item('Host/RedHat/appstream/go-toolset');
    if (isnull(module_ver)) audit(AUDIT_PACKAGE_NOT_INSTALLED, 'Module go-toolset:rhel8');
    if ('rhel8' >!< module_ver) audit(AUDIT_PACKAGE_NOT_AFFECTED, 'Module go-toolset:' + module_ver);
    
    appstreams = {
        'go-toolset:rhel8': [
          {'reference':'go-toolset-1.12.12-2.module+el8.1.0+5317+8a49ffbb', 'cpu':'aarch64', 'release':'8'},
          {'reference':'go-toolset-1.12.12-2.module+el8.1.0+5317+8a49ffbb', 'cpu':'s390x', 'release':'8'},
          {'reference':'go-toolset-1.12.12-2.module+el8.1.0+5317+8a49ffbb', 'cpu':'x86_64', 'release':'8'},
          {'reference':'golang-1.12.12-4.module+el8.1.0+5317+8a49ffbb', 'cpu':'aarch64', 'release':'8'},
          {'reference':'golang-1.12.12-4.module+el8.1.0+5317+8a49ffbb', 'cpu':'s390x', 'release':'8'},
          {'reference':'golang-1.12.12-4.module+el8.1.0+5317+8a49ffbb', 'cpu':'x86_64', 'release':'8'},
          {'reference':'golang-bin-1.12.12-4.module+el8.1.0+5317+8a49ffbb', 'cpu':'aarch64', 'release':'8'},
          {'reference':'golang-bin-1.12.12-4.module+el8.1.0+5317+8a49ffbb', 'cpu':'s390x', 'release':'8'},
          {'reference':'golang-bin-1.12.12-4.module+el8.1.0+5317+8a49ffbb', 'cpu':'x86_64', 'release':'8'},
          {'reference':'golang-docs-1.12.12-4.module+el8.1.0+5317+8a49ffbb', 'release':'8'},
          {'reference':'golang-misc-1.12.12-4.module+el8.1.0+5317+8a49ffbb', 'release':'8'},
          {'reference':'golang-race-1.12.12-4.module+el8.1.0+5317+8a49ffbb', 'cpu':'x86_64', 'release':'8'},
          {'reference':'golang-src-1.12.12-4.module+el8.1.0+5317+8a49ffbb', 'release':'8'},
          {'reference':'golang-tests-1.12.12-4.module+el8.1.0+5317+8a49ffbb', 'release':'8'}
        ],
    };
    
    flag = 0;
    appstreams_found = 0;
    foreach module (keys(appstreams)) {
      appstream = NULL;
      appstream_name = NULL;
      appstream_version = NULL;
      appstream_split = split(module, sep:':', keep:FALSE);
      if (!empty_or_null(appstream_split)) {
        appstream_name = appstream_split[0];
        appstream_version = appstream_split[1];
        appstream = get_kb_item('Host/RedHat/appstream/' + appstream_name);
      }
      if (!empty_or_null(appstream) && appstream_version == appstream || appstream_name == 'all') {
        appstreams_found++;
        foreach package_array ( appstreams[module] ) {
          reference = NULL;
          release = NULL;
          sp = NULL;
          cpu = NULL;
          el_string = NULL;
          rpm_spec_vers_cmp = NULL;
          epoch = NULL;
          if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];
          if (!empty_or_null(package_array['release'])) release = 'RHEL' + package_array['release'];
          if (!empty_or_null(package_array['sp'])) sp = package_array['sp'];
          if (!empty_or_null(package_array['cpu'])) cpu = package_array['cpu'];
          if (!empty_or_null(package_array['el_string'])) el_string = package_array['el_string'];
          if (!empty_or_null(package_array['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = package_array['rpm_spec_vers_cmp'];
          if (!empty_or_null(package_array['epoch'])) epoch = package_array['epoch'];
          if (reference && release) {
            if (rpm_check(release:release, sp:sp, cpu:cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp)) flag++;
          }
        }
      }
    }
    
    if (!appstreams_found) audit(AUDIT_PACKAGE_NOT_INSTALLED, 'Module go-toolset:rhel8');
    
    if (flag)
    {
      security_report_v4(
          port       : 0,
          severity   : SECURITY_WARNING,
          extra      : rpm_report_get() + redhat_report_package_caveat()
      );
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'go-toolset / golang / golang-bin / etc');
    }
    
  • NASL familyAmazon Linux Local Security Checks
    NASL idALA_ALAS-2020-1336.NASL
    descriptionIt was discovered that net/http (through net/textproto) in golang does not correctly interpret HTTP requests where an HTTP header contains spaces before the colon. This could be abused by an attacker to smuggle HTTP requests when a proxy or a firewall is placed behind a server implemented in Go or to filter bypasses depending on the specific network configuration.(CVE-2019-16276) Go before 1.12.10 and 1.13.x before 1.13.1 allow HTTP Request Smuggling.(CVE-2019-16276)
    last seen2020-06-01
    modified2020-06-02
    plugin id133006
    published2020-01-17
    reporterThis script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/133006
    titleAmazon Linux AMI : golang (ALAS-2020-1336)
  • NASL familyAmazon Linux Local Security Checks
    NASL idAL2_ALAS-2020-1383.NASL
    descriptionIt was discovered that net/http (through net/textproto) in golang does not correctly interpret HTTP requests where an HTTP header contains spaces before the colon. This could be abused by an attacker to smuggle HTTP requests when a proxy or a firewall is placed behind a server implemented in Go or to filter bypasses depending on the specific network configuration. (CVE-2019-16276)
    last seen2020-06-01
    modified2020-06-02
    plugin id133093
    published2020-01-21
    reporterThis script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/133093
    titleAmazon Linux 2 : golang (ALAS-2020-1383)
  • NASL familyPhotonOS Local Security Checks
    NASL idPHOTONOS_PHSA-2020-1_0-0264_GO.NASL
    descriptionAn update of the go package has been released.
    last seen2020-06-01
    modified2020-06-02
    plugin id132981
    published2020-01-16
    reporterThis script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/132981
    titlePhoton OS 1.0: Go PHSA-2020-1.0-0264
  • NASL familySuSE Local Security Checks
    NASL idOPENSUSE-2019-2522.NASL
    descriptionThis update for go1.12 fixes the following issues : Security issues fixed : - CVE-2019-16276: Fixed the handling of invalid HTTP headers, which had allowed request smuggling (bsc#1152082). - CVE-2019-17596: Fixed a panic in dsa.Verify caused by invalid public keys (bsc#1154402). Non-security issue fixed : - Go was updated to version 1.12.12 (bsc#1141689). This update was imported from the SUSE:SLE-15:Update update project.
    last seen2020-06-01
    modified2020-06-02
    plugin id131117
    published2019-11-18
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/131117
    titleopenSUSE Security Update : go1.12 (openSUSE-2019-2522)
  • NASL familyFreeBSD Local Security Checks
    NASL idFREEBSD_PKG_A92DCC5CE05C11E9B58910C37B4AC2EA.NASL
    descriptionThe Go project reports : net/http (through net/textproto) used to accept and normalize invalid HTTP/1.1 headers with a space before the colon, in violation of RFC 7230. If a Go server is used behind a reverse proxy that accepts and forwards but doesn
    last seen2020-06-01
    modified2020-06-02
    plugin id129426
    published2019-09-30
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/129426
    titleFreeBSD : go -- invalid headers are normalized, allowing request smuggling (a92dcc5c-e05c-11e9-b589-10c37b4ac2ea)
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2019-416D20F960.NASL
    description - Rebase to 1.12.10 - Security fix for CVE-2019-16276 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id129767
    published2019-10-10
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/129767
    titleFedora 30 : golang (2019-416d20f960)
  • NASL familyAmazon Linux Local Security Checks
    NASL idALA_ALAS-2019-1321.NASL
    descriptionIt was discovered that net/http (through net/textproto) in golang does not correctly interpret HTTP requests where an HTTP header contains spaces before the colon. This could be abused by an attacker to smuggle HTTP requests when a proxy or a firewall is placed behind a server implemented in Go or to filter bypasses depending on the specific network configuration. (CVE-2019-16276)
    last seen2020-06-01
    modified2020-06-02
    plugin id131241
    published2019-11-25
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/131241
    titleAmazon Linux AMI : golang (ALAS-2019-1321)
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2020-0101.NASL
    descriptionAn update for go-toolset-1.12 and go-toolset-1.12-golang is now available for Red Hat Developer Tools. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Go Toolset provides the Go programming language tools and libraries. Go is alternatively known as golang. The following packages have been upgraded to a later upstream version: go-toolset-1.12-golang (1.12.12). (BZ#1759840, BZ#1785389) Security Fix(es) : * golang: HTTP/1.1 headers with a space before the colon leads to filter bypass or request smuggling (CVE-2019-16276) * golang: invalid public key causes panic in dsa.Verify (CVE-2019-17596) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
    last seen2020-06-01
    modified2020-06-02
    plugin id132948
    published2020-01-16
    reporterThis script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/132948
    titleRHEL 7 : go-toolset-1.12-golang (RHSA-2020:0101)
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2019-1B8CBD39FF.NASL
    description - Rebase to 1.13.1 - Security fix for CVE-2019-16276 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id129698
    published2019-10-08
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/129698
    titleFedora 31 : golang (2019-1b8cbd39ff)
  • NASL familyHuawei Local Security Checks
    NASL idEULEROS_SA-2019-2529.NASL
    descriptionAccording to the versions of the golang packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - Go before 1.12.10 and 1.13.x before 1.13.1 allow HTTP Request Smuggling.(CVE-2019-16276) - Go before 1.12.11 and 1.3.x before 1.13.2 can panic upon an attempt to process network traffic containing an invalid DSA public key. There are several attack scenarios, such as traffic from a client to a server that verifies client certificates.(CVE-2019-17596) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-05-08
    modified2019-12-09
    plugin id131803
    published2019-12-09
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/131803
    titleEulerOS 2.0 SP5 : golang (EulerOS-SA-2019-2529)
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2019-E99C1603C3.NASL
    description - Security fix for CVE-2019-16276 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id129858
    published2019-10-15
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/129858
    titleFedora 29 : golang (2019-e99c1603c3)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2019-2940-1.NASL
    descriptionThis update for go1.12 fixes the following issues : Security issues fixed : CVE-2019-16276: Fixed the handling of invalid HTTP headers, which had allowed request smuggling (bsc#1152082). CVE-2019-17596: Fixed a panic in dsa.Verify caused by invalid public keys (bsc#1154402). Non-security issue fixed: Go was updated to version 1.12.12 (bsc#1141689). Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id130900
    published2019-11-12
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/130900
    titleSUSE SLED15 / SLES15 Security Update : go1.12 (SUSE-SU-2019:2940-1)

Redhat

advisories
  • rhsa
    idRHSA-2020:0101
  • rhsa
    idRHSA-2020:0329
  • rhsa
    idRHSA-2020:0652
rpms
  • go-toolset-1.12-0:1.12.12-4.el7
  • go-toolset-1.12-build-0:1.12.12-4.el7
  • go-toolset-1.12-golang-0:1.12.12-4.el7
  • go-toolset-1.12-golang-bin-0:1.12.12-4.el7
  • go-toolset-1.12-golang-docs-0:1.12.12-4.el7
  • go-toolset-1.12-golang-misc-0:1.12.12-4.el7
  • go-toolset-1.12-golang-race-0:1.12.12-4.el7
  • go-toolset-1.12-golang-src-0:1.12.12-4.el7
  • go-toolset-1.12-golang-tests-0:1.12.12-4.el7
  • go-toolset-1.12-runtime-0:1.12.12-4.el7
  • go-toolset-0:1.12.12-2.module+el8.1.0+5317+8a49ffbb
  • golang-0:1.12.12-4.module+el8.1.0+5317+8a49ffbb
  • golang-bin-0:1.12.12-4.module+el8.1.0+5317+8a49ffbb
  • golang-docs-0:1.12.12-4.module+el8.1.0+5317+8a49ffbb
  • golang-misc-0:1.12.12-4.module+el8.1.0+5317+8a49ffbb
  • golang-race-0:1.12.12-4.module+el8.1.0+5317+8a49ffbb
  • golang-src-0:1.12.12-4.module+el8.1.0+5317+8a49ffbb
  • golang-tests-0:1.12.12-4.module+el8.1.0+5317+8a49ffbb

References