CVE-2022-23773 Go before 1.16.14 and 1.17.x before 1.17.7 can misinterpret branch names that falsely appear to be version tags as tags.

CVE-2022-23773 Go before 1.16.14 and 1.17.x before 1.17.7 can misinterpret branch names that falsely appear to be version tags as tags.

An example of this happening is if there is a feature called “vX.Y.Z” and there was a branch called “vX.Y”. An actor that is supposed to be able to create “vX.Y.Z” branches but not “vX.Y” branches would be able to create a tag called “vX.Y”, which could be used to bypass access control. An update has been released for Go before 1.16.14 and 1.17.x before 1.17.7 that fixes this issue by checking the expected version tag with the expected branch name, and will now reject (rather than silently ignoring) branches with unexpected version tags. An updated has been released for Go before 1.16.14 and 1.17.x before 1.17.7 that fixes this issue by checking the expected version tag with the expected branch name, and will now reject (rather than silently ignore) branches with unexpected version tags. Go 1.17.8 has been released to address this issue. An update has been released for Go before 1.16.14 and 1.17.x before 1.17.7 that fixes this issue by checking the expected version tag with the expected branch name, and will now reject (rather than silently ignore) branches with unexpected version tags. Go 1.17.8 has been released to address this issue. Fix for CVE-2018-

What is Go?

Go is an open source programming language developed by Google that focuses on simplicity and safety. It was used to create the website google.com.
It is completely safe to use as it can only execute code which has been verified as safe by the compiler and a set of static analysis tools. It also features concurrency, garbage collection, and goroutines, which makes writing modern software easier than with other languages. Go was originally conceived at Google in 2007 by Rob Pike with help from Robert Griesemer, Ken Thompson, and Oren Etzioni.

What to do if you are running a vulnerable version of Go?

If you are running a vulnerable version of Go and need to upgrade, we recommend the following steps:
1. Update your Go installations to the latest stable release, 1.17.8 or greater.
2. Upgrade your application deployments to use Go 1.17.8 or greater by replacing an earlier release with the new release in your deployment plan (e.g., replace go1.11 with go1.14).
3. If you have not already disabled support for Go 1.10 and earlier, do so now.
4. If your applications were built using go command or go build, remove them from production as soon as possible and rebuild them using golang/go instead of go command or go build and then deploy those applications again using the new deployments instead of the old ones (see below for more information about why you should do this).
5. If you need to keep older applications that were built against earlier versions of Go in production, update those apps with an upgrade strategy similar to the one outlined above (i.e., rebuild against this version of Go; however, these upgrades may not be supported by all platforms).

Vulnerability Summary

There is a vulnerability in the Go programming language that may allow an attacker to bypass access controls. The bug was fixed on September 25th, 2018 with Go 1.17.8. If you are using Go before 1.16.14 or 1.17.x before 1.17.7, you need to upgrade your installation of the language as soon as possible to fix this issue

What is S3?

S3 is Amazon’s Simple Storage Service. It is a web service for storing and retrieving any amount of data, including files, directories, and database content. S3 also provides access control lists that allow you to share your data with other AWS accounts.
S3 was the first online storage system to offer built-in encryption on the fly for objects stored in buckets.

References

Subscribe to CVE.news
Don’t miss out on the latest issues. Sign up now to get access to the library of members-only issues.
jamie@example.com
Subscribe