Google Go HTTP Request Smuggling Multiple Vulnerabilities


Description   (#Several HTTP request smuggling vulnerabilities have been identified in Google's Go language:#- CVE-2015-5739: syntactically invalid headers are parsed as valid and don't provoke a 400 HTTP error#- CVE-2015-5740: double 'Content-length' header fields don't provoke a 400 HTTP error and the second field is ignored#- CVE-2015-5741: sending a 'Content-length' header field in some messages with a 'Transfer-Encoding' field don't provoke a 400 HTTP error##A remote attacker can potentially use the fact that these requests are not correctly handled to bypass some security measures, do cache poisoning or alter some requests to provoke a denial of service.##Updated, 05/08/2015:#The golang packages provided by Debian Wheezy 7 and Jessie 8 are impacted.#Updated, 25/08/2015:#The go and go14 packages provided by FreeBSD are vulnerable.)
     
Vulnerable Products   Vulnerable OS:
Fedora (Red Hat) - 21, 22FreeBSD (FreeBSD) - AllGNU/Linux (Debian) - 7, 8openSUSE (SUSE) - 13.2Vulnerable Software:
     
Solution   Fixed go packages for openSUSE 13.2 are available.
     
CVE   CVE-2015-5741
CVE-2015-5740
CVE-2015-5739
     
References   - oss-sec: CVE Request - Go net/http library - HTTP smuggling
http://seclists.org/oss-sec/2015/q3/237
- Debian Security Tracker : golang
https://security-tracker.debian.org/tracker/CVE-2015-5739
https://security-tracker.debian.org/tracker/CVE-2015-5740
https://security-tracker.debian.org/tracker/CVE-2015-5741
- FEDORA-2015-12957 : Fedora 21 Update: golang-1.4.2-3.fc21
http://lists.fedoraproject.org/pipermail/package-announce/2015-August/163971.html
- FEDORA-2015-13002 : Fedora 22 Update: golang-1.4.2-3.fc22
http://lists.fedoraproject.org/pipermail/package-announce/2015-August/163980.html
- VuXML : go -- multiple vulnerabilities
http://www.vuxml.org/freebsd/4464212e-4acd-11e5-934b-002590263bf5.html
- FEDORA-2015-15618 : Fedora 21 Update: golang-1.5.1-0.fc21
https://lists.fedoraproject.org/pipermail/package-announce/2015-October/168029.html
- FEDORA-2015-15619 : Fedora 22 Update: golang-1.5.1-0.fc22
https://lists.fedoraproject.org/pipermail/package-announce/2015-October/167997.html
- openSUSE-SU-2016:1894-1 : Security update for go
https://lists.opensuse.org/opensuse-updates/2016-07/msg00092.html
     
Vulnerability Manager Detection   No
     
IPS Protection  
ASQ Engine alarm Available Since
HTTP Request Smuggling : HTTP command found in header
3.2.0
HTTP Request Smuggling : Content-Length and Transfer-Encoding: chunked fields in header
3.2.0
HTTP Request Smuggling : suspicious syntax using HTTP keyword
3.2.0
HTTP Request Smuggling : multiple Content-Length fields
3.2.0
     


 
 
 
 
 Risk level 
Moderate 

 Vulnerability First Public Report Date 
2015-07-29 

 Target Type 
Server 

 Possible exploit 
Remote