Stop and patch before you Go and run anything

Administrators of Go servers are being encouraged to patch their systems following the discovery of a coding error that, left unaddressed, poses a filter bypass or request smuggling risk.

The vulnerability (CVE-2019-16276) is resolved by updating to either Go 1.13.1 or Go 1.12.10, as appropriate.

In an advisory, the developers of Go – an open source programming language also known as Golang – explain the root cause of the problem:

net/http (through net/textproto) used to accept and normalize invalid HTTP/1.1 headers with a space before the colon, in violation of RFC 7230.

If a Go server is used behind an uncommon reverse proxy that accepts and forwards but doesn’t normalize such invalid headers, the reverse proxy and the server can interpret the headers differently.

According to the advisory, the vulnerability could lead to filter bypasses or request smuggling – the latter of which can occur when “requests from separate clients are multiplexed onto the same upstream connection by the proxy”.

“Such invalid headers are now rejected by Go servers, and passed without normalization to Go client applications,” the security notice (also posted on GitHub) adds.

The developers credit security researchers Andrew Stucki, Adam Scarr, and Jan Masarik for discovering and reporting the problem.


YOU MIGHT ALSO LIKE Adobe issues emergency patch for critical ColdFusion vulnerabilities