encoding/xml in Go before 1.15.9 and 1.16.x before 1.16.1 has an infinite loop if a custom TokenReader (for xml.NewTokenDecoder) returns EOF in the middle of an element. This can occur in the Decode, DecodeElement, or Skip method.

The remote Redhat Enterprise Linux 8 host has a package installed that is affected by multiple vulnerabilities as referenced in the RHSA-2021:2704 advisory.

    Red Hat OpenShift Serverless Client kn 1.16.0 provides a CLI to interact with Red Hat OpenShift Serverless     1.16.0. The kn CLI is delivered as an RPM package for installation on RHEL platforms, and as binaries for     non-Linux platforms.

    Security Fix(es):

    * golang: encoding/xml: infinite loop when using xml.NewTokenDecoder with a custom TokenReader     (CVE-2021-27918)

    * golang: net/http: panic in ReadRequest and ReadResponse when reading a very large header     (CVE-2021-31525)

    * golang: archive/zip: malformed archive may cause panic or memory exhaustion (CVE-2021-33196)

    For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and     other related information, refer to the CVE page(s) listed in the References section.

Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 7 host has one or more packages installed that are affected by a vulnerability that has been acknowledged by the vendor but will not be patched.

  - golang: encoding/xml: infinite loop when using xml.NewTokenDecoder with a custom TokenReader     (CVE-2021-27918)

Note that Nessus has not tested for this issue but has instead relied on the package manager's report that the package is installed.

The version of Splunk installed on the remote host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the SVD-2023-0808 advisory.

  - The go command may execute arbitrary code at build time when using cgo. This may occur when running go     get on a malicious module, or when running any other command which builds untrusted code. This is can by     triggered by linker flags, specified via a #cgo LDFLAGS directive. Flags containing embedded spaces are     mishandled, allowing disallowed flags to be smuggled through the LDFLAGS sanitization by including them in     the argument of another flag. This only affects usage of the gccgo compiler. (CVE-2023-29405)

  - When curl < 7.84.0 saves cookies, alt-svc and hsts data to local files, it makes the operation atomic by     finalizing the operation with a rename from a temporary name to the final target file name.In that rename     operation, it might accidentally *widen* the permissions for the target file, leaving the updated file     accessible to more users than intended. (CVE-2022-32207)

  - decode-uri-component 0.2.0 is vulnerable to Improper Input Validation resulting in DoS. (CVE-2022-38900)

  - The got package before 12.1.0 (also fixed in 11.8.5) for Node.js allows a redirect to a UNIX socket.
    (CVE-2022-33987)

  - Prototype pollution vulnerability in function parseQuery in parseQuery.js in webpack loader-utils via the     name variable in parseQuery.js. This affects all versions prior to 1.4.1 and 2.0.3. (CVE-2022-37601)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 8 host has a package installed that is affected by multiple vulnerabilities as referenced in the RHSA-2021:3555 advisory.

    Red Hat OpenShift Serverless Client kn 1.17.0 provides a CLI to interact with Red Hat OpenShift Serverless     1.17.0. The kn CLI is delivered as an RPM package for installation on RHEL platforms, and as binaries for     non-Linux platforms.

    Security Fix(es):

    * serverless: incomplete fix for CVE-2021-27918 / CVE-2021-31525 / CVE-2021-33196 (CVE-2021-3703)

    * golang: crypto/tls: certificate of wrong type is causing TLS client to panic     (CVE-2021-34558)
    * golang: net: lookup functions may return invalid host names (CVE-2021-33195)
    * golang: net/http/httputil: ReverseProxy forwards connection headers if first one is empty     (CVE-2021-33197)
    * golang: match/big.Rat: may cause a panic or an unrecoverable fatal error if passed inputs with very     large exponents (CVE-2021-33198)

    For more details about the security issue(s), including the impact, a CVSS     score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References     section.

Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Rocky Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RLSA-2021:3076 advisory.

  - encoding/xml in Go before 1.15.9 and 1.16.x before 1.16.1 has an infinite loop if a custom TokenReader     (for xml.NewTokenDecoder) returns EOF in the middle of an element. This can occur in the Decode,     DecodeElement, or Skip method. (CVE-2021-27918)

  - net/http in Go before 1.15.12 and 1.16.x before 1.16.4 allows remote attackers to cause a denial of     service (panic) via a large header to ReadRequest or ReadResponse. Server, Transport, and Client can each     be affected in some configurations. (CVE-2021-31525)

  - In archive/zip in Go before 1.15.13 and 1.16.x before 1.16.5, a crafted file count (in an archive's     header) can cause a NewReader or OpenReader panic. (CVE-2021-33196)

  - The crypto/tls package of Go through 1.16.5 does not properly assert that the type of public key in an     X.509 certificate matches the expected type when doing a RSA based key exchange, allowing a malicious TLS     server to cause a TLS client to panic. (CVE-2021-34558)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The version of golang installed on the remote host is prior to 1.18.6-1.42. It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS-2022-1635 advisory.

  - Acceptance of some invalid Transfer-Encoding headers in the HTTP/1 client in net/http before Go 1.17.12     and Go 1.18.4 allows HTTP request smuggling if combined with an intermediate server that also improperly     fails to reject the header as invalid. (CVE-2022-1705)

  - Uncontrolled recursion in the Parse functions in go/parser before Go 1.17.12 and Go 1.18.4 allow an     attacker to cause a panic due to stack exhaustion via deeply nested types or declarations. (CVE-2022-1962)

  - Authorization Bypass Through User-Controlled Key in GitHub repository emicklei/go-restful prior to v3.8.0.
    (CVE-2022-1996)

  - encoding/pem in Go before 1.17.9 and 1.18.x before 1.18.1 has a Decode stack overflow via a large amount     of PEM data. (CVE-2022-24675)

  - The golang.org/x/crypto/ssh package before 0.0.0-20220314234659-1baeb1ce4c0b for Go allows an attacker to     crash a server in certain circumstances involving AddHostKey. (CVE-2022-27191)

  - In net/http in Go before 1.18.6 and 1.19.x before 1.19.1, attackers can cause a denial of service because     an HTTP/2 connection can hang during closing if shutdown were preempted by a fatal error. (CVE-2022-27664)

  - In Decoder.Skip in encoding/xml in Go before 1.17.12 and 1.18.x before 1.18.4, stack exhaustion and a     panic can occur via a deeply nested XML document. (CVE-2022-28131)

  - The generic P-256 feature in crypto/elliptic in Go before 1.17.9 and 1.18.x before 1.18.1 allows a panic     via long scalar input. (CVE-2022-28327)

  - Go before 1.17.10 and 1.18.x before 1.18.2 has Incorrect Privilege Assignment. When called with a non-zero     flags parameter, the Faccessat function could incorrectly report that a file is accessible.
    (CVE-2022-29526)

  - Non-random values for ticket_age_add in session tickets in crypto/tls before Go 1.17.11 and Go 1.18.3     allow an attacker that can observe TLS handshakes to correlate successive connections by comparing ticket     ages during session resumption. (CVE-2022-30629)

  - Uncontrolled recursion in Glob in io/fs before Go 1.17.12 and Go 1.18.4 allows an attacker to cause a     panic due to stack exhaustion via a path which contains a large number of path separators.
    (CVE-2022-30630)

  - Uncontrolled recursion in Reader.Read in compress/gzip before Go 1.17.12 and Go 1.18.4 allows an attacker     to cause a panic due to stack exhaustion via an archive containing a large number of concatenated 0-length     compressed files. (CVE-2022-30631)

  - Uncontrolled recursion in Glob in path/filepath before Go 1.17.12 and Go 1.18.4 allows an attacker to     cause a panic due to stack exhaustion via a path containing a large number of path separators.
    (CVE-2022-30632)

  - Uncontrolled recursion in Unmarshal in encoding/xml before Go 1.17.12 and Go 1.18.4 allows an attacker to     cause a panic due to stack exhaustion via unmarshalling an XML document into a Go struct which has a     nested field that uses the 'any' field tag. (CVE-2022-30633)

  - Uncontrolled recursion in Decoder.Decode in encoding/gob before Go 1.17.12 and Go 1.18.4 allows an     attacker to cause a panic due to stack exhaustion via a message which contains deeply nested structures.
    (CVE-2022-30635)

  - Improper exposure of client IP addresses in net/http before Go 1.17.12 and Go 1.18.4 can be triggered by     calling httputil.ReverseProxy.ServeHTTP with a Request.Header map containing a nil value for the     X-Forwarded-For header, which causes ReverseProxy to set the client IP as the value of the X-Forwarded-For     header. (CVE-2022-32148)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The version of golang installed on the remote host is prior to 1.18.3-1. It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2-2022-1830 advisory.

  - A nil pointer dereference in the golang.org/x/crypto/ssh component through     v0.0.0-20201203163018-be400aefbc4c for Go allows remote attackers to cause a denial of service against SSH     servers. (CVE-2020-29652)

  - encoding/xml in Go before 1.15.9 and 1.16.x before 1.16.1 has an infinite loop if a custom TokenReader     (for xml.NewTokenDecoder) returns EOF in the middle of an element. This can occur in the Decode,     DecodeElement, or Skip method. (CVE-2021-27918)

  - archive/zip in Go 1.16.x before 1.16.1 allows attackers to cause a denial of service (panic) upon     attempted use of the Reader.Open API for a ZIP archive in which ../ occurs at the beginning of any     filename. (CVE-2021-27919)

  - Go before 1.15.13 and 1.16.x before 1.16.5 has functions for DNS lookups that do not validate replies from     DNS servers, and thus a return value may contain an unsafe injection (e.g., XSS) that does not conform to     the RFC1035 format. (CVE-2021-33195)

  - In Go before 1.15.13 and 1.16.x before 1.16.5, some configurations of ReverseProxy (from     net/http/httputil) result in a situation where an attacker is able to drop arbitrary headers.
    (CVE-2021-33197)

  - In Go before 1.15.13 and 1.16.x before 1.16.5, there can be a panic for a large exponent to the     math/big.Rat SetString or UnmarshalText method. (CVE-2021-33198)

  - Go before 1.15.15 and 1.16.x before 1.16.7 has a race condition that can lead to a net/http/httputil     ReverseProxy panic upon an ErrAbortHandler abort. (CVE-2021-36221)

  - Go before 1.16.9 and 1.17.x before 1.17.2 has a Buffer Overflow via large arguments in a function     invocation from a WASM module, when GOARCH=wasm GOOS=js is used. (CVE-2021-38297)

  - In archive/zip in Go before 1.16.8 and 1.17.x before 1.17.1, a crafted archive header (falsely designating     that many files are present) can cause a NewReader or OpenReader panic. NOTE: this issue exists because of     an incomplete fix for CVE-2021-33196. (CVE-2021-39293)

  - Rat.SetString in math/big in Go before 1.16.14 and 1.17.x before 1.17.7 has an overflow that can lead to     Uncontrolled Memory Consumption. (CVE-2022-23772)

  - cmd/go in Go before 1.16.14 and 1.17.x before 1.17.7 can misinterpret branch names that falsely appear to     be version tags. This can lead to incorrect access control if an actor is supposed to be able to create     branches but not tags. (CVE-2022-23773)

  - Curve.IsOnCurve in crypto/elliptic in Go before 1.16.14 and 1.17.x before 1.17.7 can incorrectly return     true in situations with a big.Int value that is not a valid field element. (CVE-2022-23806)

  - encoding/pem in Go before 1.17.9 and 1.18.x before 1.18.1 has a Decode stack overflow via a large amount     of PEM data. (CVE-2022-24675)

  - regexp.Compile in Go before 1.16.15 and 1.17.x before 1.17.8 allows stack exhaustion via a deeply nested     expression. (CVE-2022-24921)

  - The generic P-256 feature in crypto/elliptic in Go before 1.17.9 and 1.18.x before 1.18.1 allows a panic     via long scalar input. (CVE-2022-28327)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote host is affected by the vulnerability described in GLSA-202208-02 (Go: Multiple Vulnerabilities)

  - Go before 1.14.12 and 1.15.x before 1.15.5 allows Code Injection. (CVE-2020-28366)

  - Go before 1.14.12 and 1.15.x before 1.15.5 allows Argument Injection. (CVE-2020-28367)

  - encoding/xml in Go before 1.15.9 and 1.16.x before 1.16.1 has an infinite loop if a custom TokenReader     (for xml.NewTokenDecoder) returns EOF in the middle of an element. This can occur in the Decode,     DecodeElement, or Skip method. (CVE-2021-27918)

  - archive/zip in Go 1.16.x before 1.16.1 allows attackers to cause a denial of service (panic) upon     attempted use of the Reader.Open API for a ZIP archive in which ../ occurs at the beginning of any     filename. (CVE-2021-27919)

  - Go before 1.17 does not properly consider extraneous zero characters at the beginning of an IP address     octet, which (in some situations) allows attackers to bypass access control that is based on IP addresses,     because of unexpected octal interpretation. This affects net.ParseIP and net.ParseCIDR. (CVE-2021-29923)

  - In Go before 1.14.14 and 1.15.x before 1.15.7, crypto/elliptic/p224.go can generate incorrect outputs,     related to an underflow of the lowest limb during the final complete reduction in the P-224 field.
    (CVE-2021-3114)

  - Go before 1.14.14 and 1.15.x before 1.15.7 on Windows is vulnerable to Command Injection and remote code     execution when using the go get command to fetch modules that make use of cgo (for example, cgo can     execute a gcc program from an untrusted download). (CVE-2021-3115)

  - net/http in Go before 1.15.12 and 1.16.x before 1.16.4 allows remote attackers to cause a denial of     service (panic) via a large header to ReadRequest or ReadResponse. Server, Transport, and Client can each     be affected in some configurations. (CVE-2021-31525)

  - Go before 1.15.13 and 1.16.x before 1.16.5 has functions for DNS lookups that do not validate replies from     DNS servers, and thus a return value may contain an unsafe injection (e.g., XSS) that does not conform to     the RFC1035 format. (CVE-2021-33195)

  - In archive/zip in Go before 1.15.13 and 1.16.x before 1.16.5, a crafted file count (in an archive's     header) can cause a NewReader or OpenReader panic. (CVE-2021-33196)

  - In Go before 1.15.13 and 1.16.x before 1.16.5, some configurations of ReverseProxy (from     net/http/httputil) result in a situation where an attacker is able to drop arbitrary headers.
    (CVE-2021-33197)

  - In Go before 1.15.13 and 1.16.x before 1.16.5, there can be a panic for a large exponent to the     math/big.Rat SetString or UnmarshalText method. (CVE-2021-33198)

  - The crypto/tls package of Go through 1.16.5 does not properly assert that the type of public key in an     X.509 certificate matches the expected type when doing a RSA based key exchange, allowing a malicious TLS     server to cause a TLS client to panic. (CVE-2021-34558)

  - Go before 1.15.15 and 1.16.x before 1.16.7 has a race condition that can lead to a net/http/httputil     ReverseProxy panic upon an ErrAbortHandler abort. (CVE-2021-36221)

  - Go before 1.16.9 and 1.17.x before 1.17.2 has a Buffer Overflow via large arguments in a function     invocation from a WASM module, when GOARCH=wasm GOOS=js is used. (CVE-2021-38297)

  - ImportedSymbols in debug/macho (for Open or OpenFat) in Go before 1.16.10 and 1.17.x before 1.17.3     Accesses a Memory Location After the End of a Buffer, aka an out-of-bounds slice situation.
    (CVE-2021-41771)

  - Go before 1.16.10 and 1.17.x before 1.17.3 allows an archive/zip Reader.Open panic via a crafted ZIP     archive containing an invalid name or an empty filename field. (CVE-2021-41772)

  - net/http in Go before 1.16.12 and 1.17.x before 1.17.5 allows uncontrolled memory consumption in the     header canonicalization cache via HTTP/2 requests. (CVE-2021-44716)

  - Go before 1.16.12 and 1.17.x before 1.17.5 on UNIX allows write operations to an unintended file or     unintended network connection as a consequence of erroneous closing of file descriptor 0 after file-     descriptor exhaustion. (CVE-2021-44717)

  - Rat.SetString in math/big in Go before 1.16.14 and 1.17.x before 1.17.7 has an overflow that can lead to     Uncontrolled Memory Consumption. (CVE-2022-23772)

  - cmd/go in Go before 1.16.14 and 1.17.x before 1.17.7 can misinterpret branch names that falsely appear to     be version tags. This can lead to incorrect access control if an actor is supposed to be able to create     branches but not tags. (CVE-2022-23773)

  - Curve.IsOnCurve in crypto/elliptic in Go before 1.16.14 and 1.17.x before 1.17.7 can incorrectly return     true in situations with a big.Int value that is not a valid field element. (CVE-2022-23806)

  - encoding/pem in Go before 1.17.9 and 1.18.x before 1.18.1 has a Decode stack overflow via a large amount     of PEM data. (CVE-2022-24675)

  - regexp.Compile in Go before 1.16.15 and 1.17.x before 1.17.8 allows stack exhaustion via a deeply nested     expression. (CVE-2022-24921)

  - Certificate.Verify in crypto/x509 in Go 1.18.x before 1.18.1 can be caused to panic on macOS when     presented with certain malformed certificates. This allows a remote TLS server to cause a TLS client to     panic. (CVE-2022-27536)

  - The generic P-256 feature in crypto/elliptic in Go before 1.17.9 and 1.18.x before 1.18.1 allows a panic     via long scalar input. (CVE-2022-28327)

  - Go before 1.17.10 and 1.18.x before 1.18.2 has Incorrect Privilege Assignment. When called with a non-zero     flags parameter, the Faccessat function could incorrectly report that a file is accessible.
    (CVE-2022-29526)

  - golang: net/http: improper sanitization of Transfer-Encoding header (CVE-2022-1705)

  - golang: encoding/xml: stack exhaustion in Decoder.Skip (CVE-2022-28131)

  - Automatic update for grafana-8.5.6-1.fc37.  ##### **Changelog**  ``` * Wed Jun 29 2022 Andreas Gerstmayr     <agerstmayr@redhat.com> 8.5.6-1 - update to 8.5.6 tagged upstream community sources, see CHANGELOG -     updated license to AGPLv3 - place commented sample config file in /etc/grafana/grafana.ini - enable Go     modules in build process - adapt Node.js bundling to yarn v3 and Zero Install feature * Sun Jun 19 2022     Robert-Andr Mauchin <zebob.m@gmail.com> - 7.5.15-3 - Rebuilt for CVE-2022-1996, CVE-2022-24675,     CVE-2022-28327, CVE-2022-27191,   CVE-2022-29526, CVE-2022-30629  ``` (CVE-2022-30629)

  - golang: io/fs: stack exhaustion in Glob (CVE-2022-30630)

  - golang: compress/gzip: stack exhaustion in Reader.Read (CVE-2022-30631)

  - golang: path/filepath: stack exhaustion in Glob (CVE-2022-30632)

  - golang: encoding/xml: stack exhaustion in Unmarshal (CVE-2022-30633)

  - golang: encoding/gob: stack exhaustion in Decoder.Decode (CVE-2022-30635)

  - golang: net/http/httputil: NewSingleHostReverseProxy - omit X-Forwarded-For not working (CVE-2022-32148)

  - The Go project reports: encoding/gob & math/big: decoding big.Float and             big.Rat can panic     Decoding big.Float and big.Rat types can panic if the             encoded message is too short.
    (CVE-2022-32189)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Oracle Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the ELSA-2021-3076 advisory.

    - Addresses CVE-2021-34558
    - Addresses CVE-2021-34558

Tenable has extracted the preceding description block directly from the Oracle Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote CentOS Linux 8 host has a package installed that is affected by multiple vulnerabilities as referenced in the CESA-2021:3076 advisory.

  - golang: encoding/xml: infinite loop when using xml.NewTokenDecoder with a custom TokenReader     (CVE-2021-27918)

  - golang: net/http: panic in ReadRequest and ReadResponse when reading a very large header (CVE-2021-31525)

  - golang: archive/zip: malformed archive may cause panic or memory exhaustion (CVE-2021-33196)

  - golang: crypto/tls: certificate of wrong type is causing TLS client to panic (CVE-2021-34558)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2021:3076 advisory.

    Go Toolset provides the Go programming language tools and libraries. Go is alternatively known as golang.

    The following packages have been upgraded to a later upstream version: golang (1.15.14). (BZ#1982287)

    Security Fix(es):

    * golang: encoding/xml: infinite loop when using xml.NewTokenDecoder with a custom TokenReader     (CVE-2021-27918)

    * golang: net/http: panic in ReadRequest and ReadResponse when reading a very large header     (CVE-2021-31525)

    * golang: archive/zip: malformed archive may cause panic or memory exhaustion (CVE-2021-33196)

    * golang: crypto/tls: certificate of wrong type is causing TLS client to panic (CVE-2021-34558)

    For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and     other related information, refer to the CVE page(s) listed in the References section.

    Bug Fix(es):

    * FIPS mode AES CBC CryptBlocks incorrectly re-initializes IV in file crypto/internal/boring/aes.go     (BZ#1978567)

    * FIPS mode AES CBC Decrypter produces incorrect result (BZ#1983976)

Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

According to the version of the golang packages installed, the EulerOS installation on the remote host is affected by the following vulnerability :

  - encoding/xml in Go before 1.15.9 and 1.16.x before     1.16.1 has an infinite loop if a custom TokenReader     (for xml.NewTokenDecoder) returns EOF in the middle of     an element. This can occur in the Decode,     DecodeElement, or Skip method.(CVE-2021-27918)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

An update of the go package has been released.

The remote Oracle Linux 7 host has packages installed that are affected by a vulnerability as referenced in the ELSA-2021-9268 advisory.

    - Fix for CVE-2021-27918
    - Address CVE-2021-27918

    etcd
    - Address CVE-2021-27918

    flannel
    - Address CVE-2021-27918

    yq
    - Address CVE-2021-27918

    conmon
    - Address CVE-2021-27918

    conmon
    - Address CVE-2021-27918

    helm
    - Address CVE-2021-27918

    kata-proxy
    - Address CVE-2021-27918

    kata-shim
    - Address CVE-2021-27918

    kata-runtime
    - Address CVE-2021-27918

    kata-ksm-throttler
    - Address CVE-2021-27918

    kata-image
    - Address CVE-2021-27918

    kata-agent
    - Fix for CVE-2021-27918

    kata
    - Address CVE-2021-27918
    - Address CVE-2021-27918

    kubernetes-dashboard
    - Address CVE-2021-27918

    kubernetes
    - Address CVE-2021-27918

    istio
    - Address CVE-2021-27918
    - Address Istio CVE-2021-28683, CVE-2021-28682 & CVE-2021-29258

Tenable has extracted the preceding description block directly from the Oracle Linux security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Oracle Linux 8 host has packages installed that are affected by a vulnerability as referenced in the ELSA-2021-9267 advisory.

    - Address CVE-2021-27918

    coredns
    - Fix for CVE-2021-27918
    - Address CVE-2021-27918

    etcd
    - Address CVE-2021-27918

    flannel
    - Address CVE-2021-27918
    - Address CVE-2021-27918

    conmon
    - Address CVE-2021-27918

    conmon
    - Address CVE-2021-27918

    kata-proxy
    - Address CVE-2021-27918

    kata-shim
    - Address CVE-2021-27918

    kata-runtime
    - Address CVE-2021-27918

    kata-ksm-throttler
    - Address CVE-2021-27918

    kata-image
    - Address CVE-2021-27918

    kata-agent
    - Fix for CVE-2021-27918

    kata
    - Address CVE-2021-27918
    - Address CVE-2021-27918

    kubernetes-dashboard
    - Address CVE-2021-27918

    kubernetes
    - Address CVE-2021-27918

    istio
    - Address CVE-2021-27918
    - Address Istio CVE-2021-28683, CVE-2021-28682 & CVE-2021-29258

Tenable has extracted the preceding description block directly from the Oracle Linux security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

This update for go1.15 fixes the following issues :

  - go1.15.10 (released 2021-03-11) (bsc#1175132)

  - go1.15.9 (released 2021-03-10) (bsc#1175132)

  - CVE-2021-27918: Fixed an infinite loop when using     xml.NewTokenDecoder with a custom TokenReader     (bsc#1183333).

This update was imported from the SUSE:SLE-15:Update update project.

This update for go1.15 fixes the following issues :

go1.15.10 (released 2021-03-11) (bsc#1175132)

go1.15.9 (released 2021-03-10) (bsc#1175132)

  - CVE-2021-27918: Fixed an infinite loop when using     xml.NewTokenDecoder with a custom TokenReader     (bsc#1183333).

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update for go1.16 fixes the following issues :

go1.16.2 (released 2021-03-11) (bsc#1182345)

go1.16.1 (released 2021-03-10) (bsc#1182345)

  - CVE-2021-27918: Fixed an infinite loop when using     xml.NewTokenDecoder with a custom TokenReader     (bsc#1183333).

  - CVE-2021-27919: Fixed an issue where archive/zip: can     panic when calling Reader.Open (bsc#1183334).

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The Go project reports :

The Decode, DecodeElement, and Skip methods of an xml.Decoder provided by xml.NewTokenDecoder may enter an infinite loop when operating on a custom xml.TokenReader which returns an EOF in the middle of an open XML element.

The Reader.Open API, new in Go 1.16, will panic when used on a ZIP archive containing files that start with '../'.

ID	Name	Product	Family	Severity
210307	RHEL 8 : Release of OpenShift Serverless Client kn 1.16.0 (Moderate) (RHSA-2021:2704)	Nessus	Red Hat Local Security Checks	high
199697	RHEL 7 : cli (Unpatched Vulnerability)	Nessus	Red Hat Local Security Checks	high
194928	Splunk Enterprise 8.2.0 < 8.2.12, 9.0.0 < 9.0.6, 9.1.0 < 9.1.1 (SVD-2023-0808)	Nessus	CGI abuses	critical
194274	RHEL 8 : Release of OpenShift Serverless Client kn 1.17.0 (Moderate) (RHSA-2021:3555)	Nessus	Red Hat Local Security Checks	high
184704	Rocky Linux 8 : go-toolset:rhel8 (RLSA-2021:3076)	Nessus	Rocky Linux Local Security Checks	high
168435	Amazon Linux AMI : golang (ALAS-2022-1635)	Nessus	Amazon Linux Local Security Checks	critical
163918	Amazon Linux 2 : golang (ALAS-2022-1830)	Nessus	Amazon Linux Local Security Checks	critical
163840	GLSA-202208-02 : Go: Multiple Vulnerabilities	Nessus	Gentoo Local Security Checks	critical
152513	Oracle Linux 8 : go-toolset:ol8 (ELSA-2021-3076)	Nessus	Oracle Linux Local Security Checks	high
152454	CentOS 8 : go-toolset:rhel8 (CESA-2021:3076)	Nessus	CentOS Local Security Checks	high
152448	RHEL 8 : go-toolset:rhel8 (RHSA-2021:3076)	Nessus	Red Hat Local Security Checks	high
151776	EulerOS 2.0 SP5 : golang (EulerOS-SA-2021-2217)	Nessus	Huawei Local Security Checks	high
151246	EulerOS 2.0 SP9 : golang (EulerOS-SA-2021-2050)	Nessus	Huawei Local Security Checks	high
151243	EulerOS 2.0 SP9 : golang (EulerOS-SA-2021-2061)	Nessus	Huawei Local Security Checks	high
151040	EulerOS 2.0 SP8 : golang (EulerOS-SA-2021-1980)	Nessus	Huawei Local Security Checks	high
150285	Photon OS 3.0: Go PHSA-2021-3.0-0248	Nessus	PhotonOS Local Security Checks	medium
150062	Oracle Linux 7 : olcne (ELSA-2021-9268)	Nessus	Oracle Linux Local Security Checks	high
150061	Oracle Linux 8 : olcne (ELSA-2021-9267)	Nessus	Oracle Linux Local Security Checks	high
149054	Photon OS 4.0: Go PHSA-2021-4.0-0013	Nessus	PhotonOS Local Security Checks	medium
148203	openSUSE Security Update : go1.15 (openSUSE-2021-480)	Nessus	SuSE Local Security Checks	high
148168	SUSE SLED15 / SLES15 Security Update : go1.15 (SUSE-SU-2021:0938-1)	Nessus	SuSE Local Security Checks	high
148139	SUSE SLED15 / SLES15 Security Update : go1.16 (SUSE-SU-2021:0937-1)	Nessus	SuSE Local Security Checks	high
147697	FreeBSD : go -- encoding/xml: infinite loop when using xml.NewTokenDecoder with a custom TokenReader; archive/zip: panic when calling Reader.Open (72709326-81f7-11eb-950a-00155d646401)	Nessus	FreeBSD Local Security Checks	high

Detections

Analytics

CVE-2021-27918

high

Tenable Plugins

high

high

critical

high

high

critical

critical

critical

high

high

high

high

high

high

high

medium

high

high

medium

high

high

high

high